[apex] ApexSOQLInjection does not recognise SObjectType or SObjectField as safe variable types

[m0rjc]

Rule: ApexSOQLInjection

Could this also add SObjectType and SObjectField as safe types?

pmd/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java

Line 163 in 8681e8d

case INTEGER:

This contrived code example demonstrates the issue.

    public static Set<String> getDistinctValues(SObjectType type, SObjectField field, Set<Id> ids) {
        List<SObject> records = Database.query('SELECT ' + field + ' FROM ' + type + ' WHERE Id In :ids');
        Set<String> values = new Set<String>();
        for(SObject record : records) {
            values.add((String) record.get(field));
        }
        return values;
    }

[m0rjc]

If this is a quick fix I'll have a go, though I've not tried locally building and running PMD. I'll clone the repository and have a look.

[m0rjc]

@all-contributors please add @rcorfieldffdc for code
@all-contributors please add @m0rjc for code,bug

I'm struggling to get the merge in a mergeable state. I think my local build environment is upset, as it's started failing on files I've not touched and can't (should not!!) depend on the one file I have touched. I have a branch in a local fork. It looks like I can create a work in progress pull request so it is attached.

[m0rjc]

https://github.com/all-contributors please add @m0rjc for code,bug

Looks like I can only have one command in a comment, sorry.

[m0rjc]

@all-contributors please add @m0rjc for code

[allcontributors]

@m0rjc

@m0rjc already contributed before to code

[allcontributors]

@m0rjc

I've put up a pull request to add @rcorfieldffdc! 🎉

I've put up a pull request to add @m0rjc! 🎉