Which three items will open up a major security hole?

Although Salesforce B2B Commerce and Salesforce recommend against using "without sharing classes" whenever possible, sometimes it is unavoidable.

Which three items will open up a major security hole? (3 answers)
A . Executing dynamic SOQL inside a without sharing class with a bind variable fromPageReference.getParameters().
B . Executing dynamic SOQL inside a without sharing class with a bind variable from theUserInfo class.
C . Executing dynamic SOQL inside a without sharing class with a bind variable fromPageReference.getCookies().
D . Executing dynamic SOQL inside a without sharing class with a bind variable fromcc_RemoteActionContentex class.
E . Executing dynamic SOQL inside a without sharing class with a bind variable fromccAPI.CURRENT_VERSION.

Answer: A,C,D

Explanation:

Executing dynamic SOQL inside a without sharing class with a bind variable from PageReference.getParameters(), PageReference.getCookies(), or cc_RemoteActionContext class will open up a major security hole because these sources of input are not sanitized and can be manipulated by malicious users to inject SOQL queries that bypass the sharing rules and access data that they are not supposed to see. For example, a user can modify the URL parameters or cookies to include a SOQL query that returns sensitive data from the database. To prevent this, it is recommended to use static SOQL or escape the bind variables before executing dynamic SOQL.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments