Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[apex] Add SObjectType and SObjectField to list of injectable SOQL variable types #4649

Merged
merged 5 commits into from Sep 9, 2023
Merged

[apex] Add SObjectType and SObjectField to list of injectable SOQL variable types #4649

merged 5 commits into from Sep 9, 2023

Conversation

rcorfieldffdc
Copy link
Contributor

@rcorfieldffdc rcorfieldffdc commented Aug 17, 2023
edited

…types

Describe the PR

Recognise variables declared as SObjectField and SObjecType as safe for insertion into SOQL statements. These are Table and Field tokens and resolve to the safe name for their respective artefacts when inserted into a string.

Related issues

Ready?

  • Added unit tests for fixed bug/feature
  • Passing all unit tests
  • Complete build ./mvnw clean verify passes (checked automatically by github actions)
  • Added (in-code) documentation (if needed)

@rcorfieldffdc rcorfieldffdc marked this pull request as draft August 17, 2023 09:12
@rcorfieldffdc
Add unit tests for the behavior I hope to see
bcbaffc 
Two of these tests are failing. It doesn't recognise constants.
I guess that it never has recognised constants, and this is another
problem in the code. I don't know whether to try to fix this or consider
it a different problem so I can make smaller pull requests.
@rcorfieldffdc
Copy link
Contributor Author

rcorfieldffdc commented Aug 18, 2023
edited

This is heading into a rabbit hole trying to chase the problem with class constants. I have created a new issue and a new branch, which I'll push later. That code is a lot bigger change.

To make this mergeable I need to back out the last commit which provides utilities. They are harmless left in but not used in this change. Care is needed that such a revert does not cause merge issues with the downstream branch because it will supersede their creation. The failing unit tests must also be removed.

The follow on issue is #4650

@rcorfieldffdc rcorfieldffdc force-pushed the defect/4646-apex-soql-injection-sobjecttype-token-variables branch from 2c10515 to bcbaffc Compare August 18, 2023 16:22
@rcorfieldffdc
Copy link
Contributor Author

rcorfieldffdc commented Aug 18, 2023
edited

I've used git reset --hard to remove a commit on this branch which is best considered new work. That exists on my other branch for #4650. Using reset instead of revert means that these changes are safe on the other branch and will not merge conflict. (Otherwise I'd need to revert the revert on that branch which would be messy)

@rcorfieldffdc rcorfieldffdc marked this pull request as ready for review August 18, 2023 16:54
@rcorfieldffdc
Copy link
Contributor Author

This pull request is now ready.

I will be out of the office for a short while and can respond to comments when I return.

@rcorfieldffdc
Copy link
Contributor Author

I'm back.

@adangel adangel changed the title Add SObjectType and SObjectField to list of injectable SOQL variable … [apex] Add SObjectType and SObjectField to list of injectable SOQL variable types Sep 9, 2023
@pmd-test
Copy link

pmd-test commented Sep 9, 2023

1 Message
📖 Compared to master:
This changeset changes 0 violations,
introduces 0 new violations, 0 new errors and 0 new configuration errors,
removes 0 violations, 0 errors and 0 configuration errors.
Download full report as build artifact

Generated by 🚫 Danger

adangel
adangel approved these changes Sep 9, 2023
View reviewed changes
Copy link
Member

@adangel adangel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@adangel adangel added this to the 7.0.0 milestone Sep 9, 2023
adangel added a commit that referenced this pull request Sep 9, 2023
@adangel
[doc] Update release notes (#4649, #4646)
7d0e1f0
@adangel adangel merged commit 4151ca1 into pmd:master Sep 9, 2023
3 checks passed
adangel added a commit that referenced this pull request Sep 9, 2023
@adangel
Merge pull request #4649 from rcorfieldffdc:defect/4646-apex-soql-inj…
347d599 
…ection-sobjecttype-token-variables

[apex] Add SObjectType and SObjectField to list of injectable SOQL variable types #4649
@rcorfieldffdc
Copy link
Contributor Author

Thanks for merging

@rcorfieldffdc rcorfieldffdc deleted the defect/4646-apex-soql-injection-sobjecttype-token-variables branch September 9, 2023 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adangel adangel adangel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

[apex] ApexSOQLInjection does not recognise SObjectType or SObjectField as safe variable types
3 participants
@rcorfieldffdc @pmd-test @adangel