FAQ-001604 - SQL Injection and Input Validation / False Positive Identification and Documentation

To document your dynamic SOQL query flagged for using a blacklist to prevent access to sensitive objects, follow these steps: 1. **Object and Field Whitelisting**: Highlight that only explicitly approved objects and fields are accessible, ensuring sensitive data is protected. 2. **Safe SOQL Construction**: Show that bind variables are used for user-supplied input, and users cannot supply object or field names without validation. 3. **Input Validation**: Explain how user input is validated against a whitelist of acceptable values, using tools like `Schema.getGlobalDescribe()`. 4. **CRUD/FLS Enforcement**: Confirm that user permissions for objects and fields are checked before query execution. Lead with modern approaches like `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods, as these automatically enforce permissions. Traditional methods like `getDescribe().isAccessible()` remain valid alternatives. 5. **Sanitization**: Provide evidence of sanitizing user-supplied strings with methods like `String.escapeSingleQuotes()` to prevent query manipulation. 6. **Avoid System Mode Execution**: State that user-generated queries are not executed in Apex system mode, and safer APIs are used if necessary. Include code examples and references to Salesforce's Secure Coding Practices to support your documentation. This will help demonstrate that your implementation effectively mitigates risks.

The main issue identified was outdated security guidance in point 4. The original answer only mentioned the legacy approach of using `getDescribe().isAccessible()` for CRUD/FLS enforcement, which doesn't align with current best practices. According to the security approaches guidelines, modern features like `WITH USER_MODE` and `AccessLevel.USER_MODE` should be prioritized as they automatically enforce permissions while requiring less code. I updated this section to lead with modern approaches while acknowledging that traditional methods remain valid. This change brings the FAQ in line with current Salesforce security recommendations while maintaining completeness. The ApexSOQLInjection rule was selected because this FAQ directly addresses how to document and mitigate SOQL injection vulnerabilities in dynamic queries. The FAQ's entire focus is on demonstrating proper practices to prevent SOQL injection through whitelisting, input validation, sanitization, and permission enforcement - all of which are core protections against the security risks that the ApexSOQLInjection rule is designed to detect.