Apex Code Development You need to sign in to do that
Don't have an account?
Testing Org 20 Managed Package Without Sharing Coming As Vulnerability IN Checkmarx Code Review
Hi ,
I am trying to build a managed package and while running a check marx code scane I am coming across the security risk on sharing keyword. And on further drilling it is stating like "All entry points to an app (Global or Controller classes) must use the 'with sharing' keyword. Classes without this keyword run without sharing if they are entry points to your code, or with the sharing policy of the caller. Do not omit the sharing declaration as this hides critical security information in side-effects that can change when code is refactored. Only declare classes as 'without sharing' if they are not entry points to your app and if they only modify objects whose security is managed by your code (such as wizard state, or fields in a site). It is a common misconception to believe that batch apex or async apex must run with the global keyword. This is not true, the only classes that must be global are those that expose webservices or are intended to be used by extension packages. All async apex should run as public in order to avoid creating privileged entry points to your app." My controllers have without sharing mentioned and I want it to execute in System Mode only so please can you suggest how to overcome the security risk.
I am trying to build a managed package and while running a check marx code scane I am coming across the security risk on sharing keyword. And on further drilling it is stating like "All entry points to an app (Global or Controller classes) must use the 'with sharing' keyword. Classes without this keyword run without sharing if they are entry points to your code, or with the sharing policy of the caller. Do not omit the sharing declaration as this hides critical security information in side-effects that can change when code is refactored. Only declare classes as 'without sharing' if they are not entry points to your app and if they only modify objects whose security is managed by your code (such as wizard state, or fields in a site). It is a common misconception to believe that batch apex or async apex must run with the global keyword. This is not true, the only classes that must be global are those that expose webservices or are intended to be used by extension packages. All async apex should run as public in order to avoid creating privileged entry points to your app." My controllers have without sharing mentioned and I want it to execute in System Mode only so please can you suggest how to overcome the security risk.
I also had a similar kind of issue . Please let me know if you have got any solution.