pmd.github.io Open in urlscan Pro
2606:50c0:8000::153  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Toggle navigation   PMD Source Code Analyzer Project
   
 * Nav
   
 * Download
 * Fork us on github
   
   
   
 * 

 
 * PMD 6.38.0
 * About
   * Home
   * Release notes
   * PMD 7.0.0 development
   * Getting help
 * User Documentation
   * Installation and basic CLI usage
   * Making rulesets
   * Configuring rules
   * Best practices
   * Suppressing warnings
   * Incremental analysis
   * PMD CLI reference
   * PMD Report formats
   * CPD reference
     * Copy-paste detection
     * CPD Report formats
   * Extending PMD
     * Introduction to writing rules
     * Your first rule
     * XPath rules
     * Java rules
     * Rule designer reference
     * Defining rule properties
     * Using and defining code metrics
     * Rule guidelines
     * Testing your rules
   * Tools / Integrations
     * Maven PMD Plugin
     * Gradle
     * Ant
     * PMD Java API
     * CI integrations
     * Other Tools / Integrations
 * Rule Reference
   * Apex Rules
     * Index
     * Best Practices
     * Code Style
     * Design
     * Documentation
     * Error Prone
     * Performance
     * Security
   * Ecmascript Rules
     * Index
     * Best Practices
     * Code Style
     * Error Prone
   * Java Rules
     * Index
     * Best Practices
     * Code Style
     * Design
     * Documentation
     * Error Prone
     * Multithreading
     * Performance
     * Security
   * Java Server Pages Rules
     * Index
     * Best Practices
     * Code Style
     * Design
     * Error Prone
     * Security
   * Maven POM Rules
     * Index
     * Error Prone
   * Modelica Rules
     * Index
     * Best Practices
   * PLSQL Rules
     * Index
     * Best Practices
     * Code Style
     * Design
     * Error Prone
   * Salesforce VisualForce Rules
     * Index
     * Security
   * VM Rules
     * Index
     * Best Practices
     * Design
     * Error Prone
   * XML Rules
     * Index
     * Error Prone
   * XSL Rules
     * Index
     * Code Style
     * Performance
 * Language Specific Documentation
   * JSP Support
   * Java code metrics
   * Apex code metrics
   * PLSQL
 * Developer Documentation
   * Developer resources
   * Building PMD from source
   * Contributing
   * Writing documentation
   * Roadmap
   * How PMD works
   * Pmdtester
   * Rule Deprecation Policy
   * Major contributions
     * Rule Guidelines
     * Adding a new language
     * Adding a new CPD language
     * Adding metrics support to a language
   * Experimental features
     * Creating (XML) dump of the AST
 * Project documentation
   * Trivia about PMD
     * PMD in the press
     * Products & books related to PMD
     * Similar projects
     * What does 'PMD' mean?
   * FAQ
   * License
   * Credits
   * Old release notes
   * Project management
     * Infrastructure
     * Release process
     * Merging pull requests
     * Main Landing page
   


SECURITY

Rules that flag potential security flaws.
 * ApexBadCrypto
 * ApexCRUDViolation
 * ApexCSRF
 * ApexDangerousMethods
 * ApexInsecureEndpoint
 * ApexOpenRedirect
 * ApexSharingViolations
 * ApexSOQLInjection
 * ApexSuggestUsingNamedCred
 * ApexXSSFromEscapeFalse
 * ApexXSSFromURLParam

Edit me


APEXBADCRYPTO

Since: PMD 5.5.3

Priority: Medium (3)

The rule makes sure you are using randomly generated IVs and keys for Crypto
calls. Hard-wiring these values greatly compromises the security of encrypted
data.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexBadCryptoRule

Example(s):

public without sharing class Foo {
    Blob hardCodedIV = Blob.valueOf('Hardcoded IV 123');
    Blob hardCodedKey = Blob.valueOf('0000000000000000');
    Blob data = Blob.valueOf('Data to be encrypted');
    Blob encrypted = Crypto.encrypt('AES128', hardCodedKey, hardCodedIV, data);
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexBadCrypto" />



APEXCRUDVIOLATION

Since: PMD 5.5.3

Priority: Medium (3)

The rule validates you are checking for access permissions before a
SOQL/SOSL/DML operation. Since Apex runs in system mode not having proper
permissions checks results in escalation of privilege and may produce runtime
errors. This check forces you to handle such scenarios.

Note: This rule will produce false positives for VF getter methods. In VF
getters the access permission check happens automatically and is not needed
explicitly. However, the rule can’t reliably determine whether a getter is a VF
getter or not and reports a violation in any case. In such cases, the violation
should be suppressed.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexCRUDViolationRule

Example(s):

public class Foo {
    public Contact foo(String status, String ID) {

        // validate you can actually query what you intend to retrieve
        Contact c = [SELECT Status__c FROM Contact WHERE Id=:ID WITH SECURITY_ENFORCED];

        // Make sure we can update the database before even trying
        if (!Schema.sObjectType.Contact.fields.Status__c.isUpdateable()) {
            return null;
        }

        c.Status__c = status;
        update c;
        return c;
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexCRUDViolation" />



APEXCSRF

Deprecated

The rule has been moved to another ruleset. Use instead: ApexCSRF

Deprecated

Since: PMD 5.5.3

Priority: Medium (3)

Having DML operations in Apex class constructor or initializers can have
unexpected side effects: By just accessing a page, the DML statements would be
executed and the database would be modified. Just querying the database is
permitted.

In addition to constructors and initializers, any method called init is checked
as well.

Salesforce Apex already protects against this scenario and raises a runtime
exception.

Note: This rule has been moved from category "Security" to "Error Prone" with
PMD 6.21.0, since using DML in constructors is not a security problem, but
crashes the application.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.errorprone.ApexCSRFRule

Example(s):

public class Foo {
    // initializer
    {
        insert data;
    }

    // static initializer
    static {
        insert data;
    }

    // constructor
    public Foo() {
        insert data;
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexCSRF" />



APEXDANGEROUSMETHODS

Since: PMD 5.5.3

Priority: Medium (3)

Checks against calling dangerous methods.

For the time being, it reports:

 * Against FinancialForce’s Configuration.disableTriggerCRUDSecurity().
   Disabling CRUD security opens the door to several attacks and requires manual
   validation, which is unreliable.
 * Calling System.debug passing sensitive data as parameter, which could lead to
   exposure of private data.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexDangerousMethodsRule

Example(s):

public class Foo {
    public Foo() {
        Configuration.disableTriggerCRUDSecurity();
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexDangerousMethods" />



APEXINSECUREENDPOINT

Since: PMD 5.5.3

Priority: Medium (3)

Checks against accessing endpoints under plain http. You should always use https
for security.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexInsecureEndpointRule

Example(s):

public without sharing class Foo {
    void foo() {
        HttpRequest req = new HttpRequest();
        req.setEndpoint('http://localhost:com');
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexInsecureEndpoint" />



APEXOPENREDIRECT

Since: PMD 5.5.3

Priority: Medium (3)

Checks against redirects to user-controlled locations. This prevents attackers
from redirecting users to phishing sites.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexOpenRedirectRule

Example(s):

public without sharing class Foo {
    String unsafeLocation = ApexPage.getCurrentPage().getParameters.get('url_param');
    PageReference page() {
       return new PageReference(unsafeLocation);
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexOpenRedirect" />



APEXSHARINGVIOLATIONS

Since: PMD 5.5.3

Priority: Medium (3)

Detect classes declared without explicit sharing mode if DML methods are used.
This forces the developer to take access restrictions into account before
modifying objects.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexSharingViolationsRule

Example(s):

public without sharing class Foo {
    // DML operation here
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexSharingViolations" />



APEXSOQLINJECTION

Since: PMD 5.5.3

Priority: Medium (3)

Detects the usage of untrusted / unescaped variables in DML queries.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexSOQLInjectionRule

Example(s):

public class Foo {
    public void test1(String t1) {
        Database.query('SELECT Id FROM Account' + t1);
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexSOQLInjection" />



APEXSUGGESTUSINGNAMEDCRED

Since: PMD 5.5.3

Priority: Medium (3)

Detects hardcoded credentials used in requests to an endpoint.

You should refrain from hardcoding credentials:

 * They are hard to mantain by being mixed in application code
 * Particularly hard to update them when used from different classes
 * Granting a developer access to the codebase means granting knowledge of
   credentials, keeping a two-level access is not possible.
 * Using different credentials for different environments is troublesome and
   error-prone.

Instead, you should use Named Credentials and a callout endpoint.

For more information, you can check this

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexSuggestUsingNamedCredRule

Example(s):

public class Foo {
    public void foo(String username, String password) {
        Blob headerValue = Blob.valueOf(username + ':' + password);
        String authorizationHeader = 'BASIC ' + EncodingUtil.base64Encode(headerValue);
        req.setHeader('Authorization', authorizationHeader);
    }
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" />



APEXXSSFROMESCAPEFALSE

Since: PMD 5.5.3

Priority: Medium (3)

Reports on calls to addError with disabled escaping. The message passed to
addError will be displayed directly to the user in the UI, making it prime
ground for XSS attacks if unescaped.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromEscapeFalseRule

Example(s):

public without sharing class Foo {
    Trigger.new[0].addError(vulnerableHTMLGoesHere, false);
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
100 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" />



APEXXSSFROMURLPARAM

Since: PMD 5.5.3

Priority: Medium (3)

Makes sure that all values obtained from URL parameters are properly escaped /
sanitized to avoid XSS attacks.

This rule is defined by the following Java class:
net.sourceforge.pmd.lang.apex.rule.security.ApexXSSFromURLParamRule

Example(s):

public without sharing class Foo {
    String unescapedstring = ApexPage.getCurrentPage().getParameters.get('url_param');
    String usedLater = unescapedstring;
}


This rule has the following properties:

Name Default Value Description Multivalued cc_categories Security Deprecated
Code Climate Categories yes. Delimiter is ‘|’. cc_remediation_points_multiplier
50 Deprecated Code Climate Remediation Points multiplier no
cc_block_highlighting false Deprecated Code Climate Block Highlighting no

Use this rule with the default properties by just referencing it:

<rule ref="category/apex/security.xml/ApexXSSFromURLParam" />




--------------------------------------------------------------------------------

©2021 PMD Open Source Project. All rights reserved.
Site last generated: Aug 28, 2021