Apex Code Development You need to sign in to do that
Don't have an account?
Chunqi Hu Security sanner: enforcing CRUD. Auto scanner reported issue.
Hi SF specialists, I have a question here regarding to Security scan: enforcing CRUD. For the example case deletion, but we also have problems with update and creation.
Before I delete a record, I apply deletable check for the custom object, like:
Schema.sObjectType.customObject.isDeletable();
Which works fine for single record.
But if I use something like following and delete a list at one action, the automatic security scanner reports an issue: CRUD Delete - Apex Serious Security Risk.
if(Schema.sObjectType.customObject.isDeletable()){
List<Database.Deleteresult> deleteResults = Database.delete(customObjectList);
System.Debug('Delete Result'+deleteResults);
}
customObjectList is set correctly and the code executes WITHOUT any problem. Just the security scanner doesn't recognize the deletable check and reports issue. Same for create and update.
Reported issues like following:
Object: customObjectList in file: /classes/DummySearch.cls
L 54: List<Database.Deleteresult> deleteResults = Database.delete(customObjectList);
Any advice/workaround I can fix this problem and pass the security scan?
Thank you very much in advance.
Scanner Link: http://security.force.com/sourcescanner
Before I delete a record, I apply deletable check for the custom object, like:
Schema.sObjectType.customObject.isDeletable();
Which works fine for single record.
But if I use something like following and delete a list at one action, the automatic security scanner reports an issue: CRUD Delete - Apex Serious Security Risk.
if(Schema.sObjectType.customObject.isDeletable()){
List<Database.Deleteresult> deleteResults = Database.delete(customObjectList);
System.Debug('Delete Result'+deleteResults);
}
customObjectList is set correctly and the code executes WITHOUT any problem. Just the security scanner doesn't recognize the deletable check and reports issue. Same for create and update.
Reported issues like following:
Object: customObjectList in file: /classes/DummySearch.cls
L 54: List<Database.Deleteresult> deleteResults = Database.delete(customObjectList);
Any advice/workaround I can fix this problem and pass the security scan?
Thank you very much in advance.
Scanner Link: http://security.force.com/sourcescanner
You can try converting your logic to exit the code if you dont have required permission
if (!CUSTOMOBJECT.sObjectType.getDescribe().isDeletable()) { return null; } else { //DO YOUR THING }I did it this way for creation but got the same issue reported from scanner.
Code sample:
List<customObject> assetsToCreate = new List<customObject>(); if(!(Schema.sObjectType.customObject.fields.Name.isCreateable() && Schema.sObjectType.customObject.fields.Link__c.isCreateable() && ... // Check fileds are creatable... )){ ApexPages.Message myMsg = new ApexPages.Message(ApexPages.Severity.FATAL, 'No access'); ApexPages.addMessage(myMsg); return false; } // Init a list to create. for(SourceObject src : srcList) { // Dummy filling. customObject asset = new customObject(); asset.Name = src.Name; asset.Link__c = src.download_url; ... // Fill other fileds... assetsToCreate.add(asset); } ... // Call out to a methed to insert data to DB. StorageClass.insertAsset(assetsToCreate); // Method 'insterAsset' does this. List<Database.Saveresult> saveResults = Database.insert( assetsToCreate );Such issue is only reported with bulk action on list, within one method/class or throung multiple methods/classes.