LinkedIn

SOQL Injection - Demo and Approaches to Prevent it

-

 In this post let us see a sample use case of SOQL Injection and the different methods to get rid of SOQL injection.



1. What is SOQL Injection?

This will happen when we try to execute Dynamic Query in Apex, accepting input from the User. And the user can modify input value based on his need, thus resulting in unintended query results.

2. Sample Use Case

We have got an LWC Component to Search for Accounts, accepting Account Name as the input parameter.

On successful search, the component will display resulting accounts matching search criteria.

Code Details below:

accountNameSearch.html

<template>
<h1>Search Account</h1>

<lightning-card title="Search Account Using Name">
<lightning-input label="Enter Account Name" onchange={handleFilter}
class="slds-size--2-of-8"></lightning-input>
<br/>

<lightning-button label="SEARCH" onclick={handleSearch}></lightning-button>
</lightning-card>
<template if:true={isAccountavailable}>
<h1>Search Results</h1>
</template>

<lightning-datatable if:true={isAccountavailable}
key-field="Id"
data={acclist}
columns={columns}
hide-checkbox-column="true"
>
</lightning-datatable>

</template>

accountNameSearch.js

import { LightningElement } from 'lwc';
import NAME_FIELD from '@salesforce/schema/Account.Name';
import TYPE_FIELD from '@salesforce/schema/Account.Type';
import RATING_FIELD from '@salesforce/schema/Account.Rating';
import ACTIVE_FIELD from '@salesforce/schema/Account.Active__c';
import myfilteredaccounts from '@salesforce/apex/AccountList.getAccountListByName';
const COLUMNS = [
{ label: 'Account Name', fieldName: NAME_FIELD.fieldApiName, type: 'text' },
{ label: 'Account Type', fieldName: TYPE_FIELD.fieldApiName, type: 'text' },
{ label: 'Rating', fieldName: RATING_FIELD.fieldApiName, type: 'text' },
{ label: 'Active', fieldName: ACTIVE_FIELD.fieldApiName, type: 'text' }
];
export default class AccountNameSearch extends LightningElement {
columns = COLUMNS;
accSearchName;
acclist;
isAccountavailable=false;
handleFilter(event){
this.accSearchName = event.target.value;
}

handleSearch()
{
//display account
this.isAccountavailable = false;
myfilteredaccounts({Name:this.accSearchName})
.then(result=>{
this.acclist=result;
this.error=null;
if(this.acclist.length>0){
this.isAccountavailable = true;
}
})
.catch(error=>{
this.error=error;
this.acclist=null;
});
}
}

accountNameSearch.js-meta.xml

<?xml version="1.0" encoding="UTF-8"?>
<LightningComponentBundle xmlns="http://soap.sforce.com/2006/04/metadata">
<apiVersion>52.0</apiVersion>
<isExposed>true</isExposed>
<targets>
<target>lightning__AppPage</target>
<target>lightning__Tab</target>
</targets>
</LightningComponentBundle>


AccountList.cls


public class AccountList {
@AuraEnabled(cacheable=true)
public static List<Account> getAccountList() {
return [SELECT Id, Name,Type,Rating,Phone FROM Account];
}
@AuraEnabled(cacheable=true)
public static List<Account> getAccountListByName(String Name) {
//Query
String query = 'SELECT Id, Name,Type,Rating,Phone FROM Account where Name Like \'%'+Name+'%\' ';
List<Account> res = Database.query(query);
return res;
}
}

3. Test Scenarios

I created a LWC Tab to perform the search and let us see the search results now based on the different input parameters.

Scenario 1 

Search String - 'Oil'

The search is successful and you can see the results on screen as shown in below screenshot:


Scenario 2

Search String - Oil%' or Active__c='No' or name like '%Gen

The search is a success and the user gets results.


The above scenario is called SOQL Injection, where the user modified the input string to get additional information like all inactive Accounts in an org.

Similarly, suppose a user wants to retrieve the information of all partner Accounts present in an org. He can easily modify the input and get the required output.

Scenario 3

Search String - Oil%' or Active__c='No' or isPartner=true or name like '%Gen


Let us see how currently the dynamic query is getting executed:

String query = 'SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like \'%'+Name+'%\' ';
List<Account> res = Database.query(query);

Problem with this approach:

User can modify the input String based on their wish and apply filters based on their need and get access to unintended data especially when the current user's sharing access is bypassed.

4. How to avoid SOQL Injection

1. Use Bind variable instead of dynamic query and use static query

String searchText = '%'+Name+'%';
return [SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like :searchText];

Let us execute the same query again and see what happens:


2. Use escapeSingleQuotes method to sanitize user-supplied input

This method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands.

Updated code:

String query = 'SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like
                \'%'+String.escapeSingleQuotes(Name)+'%\' ';
List<Account> res = Database.query(query);
return res;

The user won't be getting any results now.                           


But the normal search will continue to work as shown below:


3. WITH SECURITY ENFORCED

Also to make sure that the user is not getting access to unintended data add WITH SECURITY ENFORCED keyword

String searchText = '%'+Name+'%';
return [SELECT Id, Name,Type,Rating,Phone,Active__c FROM Account where Name Like :searchText
WITH SECURITY_ENFORCED];

References:

https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_soql_injection.htm

Comments

  1. Sinan5 November 2021 at 18:32

    thank you Meera, that was a good, short and to the point read. Keep your posts coming.

    ReplyDelete
    Replies
    1. Meera R Nair6 November 2021 at 07:18

      Thank you so much Sinan for the encouraging words!

      Delete
  2. Unknown13 November 2021 at 07:42

    Thank you Meera for explaining concisely what SOQL injection is and steps to prevent.

    ReplyDelete
  3. rithi17 December 2021 at 01:57

    This post is so helpfull and informative.keep updating with more information...
    Most Useful Languages For Business
    Learn To Speak German

    ReplyDelete

Post a Comment

Popular posts from this blog

Subscribing to Salesforce Platform Events using External Java Client - CometD

-
Image
Platform Events follow event based Architecture, where multiple subscribers can subscribe to a published event in real time manner.  Below diagram shows the basic Architecture of the event-based communication Model: Event - This is a change in state for a business process Event Message - Data about the event Producer - Publisher of the event Event Bus - A communication and storage service for published events Event Consumer - A subscriber to the channel Platform events can be subscribed internally and also externally Platfrom events  - Internal Subscription Below are some scenarios in which you can consume platform events internally: 1. When we need to execute functionalities asynchronously to save govornor limits 2. To build a proper exception logging framework - You can find more details here  How to subscribe Internally? we can see more details about this in a different blogpost. Platfrom events  - External Consumption Many Organizations are moving to event-based integration appr
Read more

Salesforce Security - Restriction Rules and Scoping Rules

-
Image
1. Overview Salesforce provides a very effective security model where we always start with the most restrictive access and then open up access using additional mechanisms like sharing rules, and manual sharing based on the requirements.   But there might be scenarios where we need to restrict access based on specific criteria. Salesforce recently introduced 2 approaches to support this requirement. Those are restriction rules and scoping rules. Let us see this in detail. 2. Restriction Rules - Overview Using restriction rules we can apply an additional level of filter on top of records to which a specific user is having access. 3. Scoping Rules - Overview Scoping rules help to filter the default records visible for a user based on specific criteria. But it is not preventing access to other records. 4. Compare Restriction Rules and Scoping Rules 5. Restriction Rule - Example Company ABC is having Job Applications getting created through their company portal and synched to Salesforce. T
Read more

How to develop reusable Invocable Apex methods for Flows

-
Image
 Salesforce is adding many new features and capabilities to Flows. But there are still some scenarios where you need to call apex methods from Flows to execute complex operations - when Flow is not capable of doing that or the performance will be low when you implement that using flows. Let us see how we can build reusable apex methods for Flows. For this let us consider 2 sample scenarios: Scenario 1 - Quick Create Account/Contact I want to build a screen, where the user can select the object needs to be created, and then create a record of that object by entering the required details. Also if the record creation is getting failed, I want to create an exception record with details. Solution Let us see how we can utilize Apex action for this. For this first let us create an Apex Invocable method, which can accept a list of wrapper class as shown below: You can see, this invocable method is accepting a List of wrapper class variables and also returning a list of wrapper class variables.
Read more