FAQ-001629 - SQL Injection and Input Validation / Validation Rules and Access Controls

To implement field whitelisting and access validation for dynamic SOQL construction in Salesforce, follow these steps: 1. **Field Whitelisting**: - Create a whitelist of acceptable fields and objects. - Use `Schema.getGlobalDescribe()` to retrieve a map of all objects and their fields. - Compare user-supplied input against this whitelist to ensure only valid fields and objects are used in the query. 2. **Access Validation**: - Validate that the user has the necessary permissions to access the specified object and fields before executing the query. - Use `Schema.DescribeSObjectResult` and methods like `isAccessible()`, `isCreateable()`, `isUpdateable()`, and `isDeletable()` to enforce Field-Level Security (FLS) and CRUD permissions. - For modern implementations, consider using `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` for Database methods to automatically enforce user permissions. 3. **Safe SOQL Construction**: - Use bind variables to include user-supplied input in the query. This prevents SOQL injection by treating user input as a parameter rather than executable code. 4. **Example Implementation**: ```apex Schema.DescribeSObjectResult objectDesc = Schema.getGlobalDescribe().get(objectType).getDescribe(); if (!objectDesc.isAccessible()) { throw new IllegalArgumentException('User does not have permission to access this object.'); } List<String> validFields = new List<String>{'Name', 'CreatedDate'}; // Example whitelist if (!validFields.contains(fieldName)) { throw new IllegalArgumentException('Invalid field specified.'); } String query = 'SELECT ' + fieldName + ' FROM ' + objectType + ' WHERE CreatedDate = TODAY WITH USER_MODE'; List<SObject> records = Database.query(query); ``` This ensures that only authorized fields and objects are queried, and user permissions are respected.

The original answer provides solid guidance but lacks mention of modern security features. Based on the security approaches guidelines, I added a brief mention of `WITH USER_MODE` and `AccessLevel.USER_MODE` as modern alternatives to manual permission validation, while preserving the existing manual validation approach. I also updated the example code to include `WITH USER_MODE` to demonstrate modern best practices. These changes align with the requirement to prioritize modern features while not suggesting legacy approaches are unacceptable. For security rules selected: - **ApexSOQLInjection**: This rule directly relates to the FAQ's core topic of preventing SOQL injection in dynamic query construction. The FAQ specifically addresses "Safe SOQL Construction" and discusses using bind variables to prevent SOQL injection, which is exactly what this rule detects and prevents. - **ApexCRUDViolation**: This rule is directly relevant to the "Access Validation" section of the FAQ, which discusses enforcing Field-Level Security (FLS) and CRUD permissions using methods like `isAccessible()`, `isCreateable()`, `isUpdateable()`, and `isDeletable()`. The FAQ's guidance on validating user permissions before query execution directly corresponds to what this rule enforces.