FAQ-001624 - SQL Injection and Input Validation / Security Review and Vulnerability Assessment

To investigate and validate SQL injection vulnerabilities reported in security scans for Salesforce applications, follow these steps: 1. **Understand the Reported Vulnerability**: Review the scan report to identify the specific query or code flagged as vulnerable. 2. **Verify Query Construction**: Check if the query uses dynamic SOQL or SOSL, as these are more prone to vulnerabilities. Ensure user input isn't directly incorporated without validation. 3. **Use Bind Variables**: Replace user-supplied input in queries with bind variables to treat input as data, not executable code. 4. **Sanitize Input**: Validate and sanitize user inputs, using methods like `String.escapeSingleQuotes()` to escape special characters. 5. **Implement Allowlisting**: For dynamic queries involving object or field names, use an allowlist of acceptable values and validate against it using `Schema.getGlobalDescribe()`. 6. **Check Permissions**: Enforce CRUD and FLS checks to ensure the query respects user permissions. Consider using `WITH USER_MODE` for SOQL queries or `AccessLevel.USER_MODE` for Database methods as modern approaches that automatically enforce permissions. 7. **Test the Fix**: Re-run security scans and perform manual testing to confirm the vulnerability is resolved. 8. **Document False Positives**: If the issue is a false positive, document why the flagged code is not a security risk. 9. **Consult Resources**: Use Salesforce's secure coding guidelines and documentation for additional best practices. These steps will help you effectively address SQL injection vulnerabilities in your Salesforce applications.

The FAQ content is technically accurate and comprehensive. I made minimal refinements to improve clarity and modernize the guidance: 1) Changed 'whitelisting' to 'allowlisting' to use current inclusive terminology, and 2) Enhanced step 6 to mention modern permission enforcement approaches (WITH USER_MODE and AccessLevel.USER_MODE) while preserving the existing guidance about CRUD and FLS checks. These changes align with the security approaches guidelines that prioritize modern features while maintaining that traditional approaches remain valid. For security rules selection: ApexSOQLInjection is directly relevant as the FAQ specifically addresses 'SQL injection vulnerabilities' and discusses 'dynamic SOQL or SOSL' queries with user input validation and bind variables - exactly what this rule detects. ApexCRUDViolation relates to step 6's guidance on 'enforce CRUD and FLS checks to ensure the query respects user permissions' - this rule identifies missing CRUD permission checks. ApexSharingViolations connects to the permissions enforcement discussed in step 6, as this rule detects sharing violations that could allow unauthorized data access through queries.