1

I am getting error in Checkmarx.

Method abortJob at line 209 of XXX/classes/Monitoring.cls gets user input from the select element.
This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a database query in method jobAbortRem at line 209 of XXX/classes/Monitoring.cls.
This may enable an SOQL Injection attack.

              Source                                Destination   
File          XXXX/classes/Monitoring.cls           XXXX/classes/Monitoring.cls
Line          212                                  217
Object        select                               select

public static void abortJob() //line no. 209
{
    list<CronTrigger> detailId=[select id FROM CronTrigger
                                where (CronJobDetail.Name='myJobName') AND NextFireTime = null]; //line 212
    
    if (detailId.size() > 0)
    {
        Id jobId = [SELECT Id from CronTrigger WHERE id = :detailId].get(0).Id; //and line 217 
        System.abortJob(jobId);
        Monitoring.scheduleJob();
    }
}

Help me on this how can I pass the Checkmarx review.

Thanks

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
Gourav Saini
  • 13
  • 3
  • There seems to be a lack of information here. It is important to know that *Second Order SQL Injection* is the case where we read information from the database. Ostensibly the database is internal and therefore the information in it is correct, but still, it may have harmless information in it, but combined with reading the information and using it can be vulnerable. – baruchiro Aug 23 '20 at 05:24
  • @baruchiro what else information do u need? – Gourav Saini Aug 24 '20 at 05:05

1 Answers1

2

Use the escapeSingleQuotes method to sanitize each element of the detailId (I would suggest renaming this) collection

public static void abortJob() { 
    list<CronTrigger> detailId=[select id FROM CronTrigger where (CronJobDetail.Name='myJobName' ) AND NextFireTime =null];
    Id jobId ; 
    for (CronTrigger currentCron : detailId) { 
        jobId = String.escapeSingleQuotes(currentCron.Id); 
    } 
    if (jobId !=null) { 
        System.abortJob(jobId); 
        Monitoring.scheduleJob();
    } 
}

Here's the Salesforce Secure Coding reference that will be useful

You might also wanted to try this type of loop to go about each item of the query result https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/langCon_apex_loops_for_SOQL.htm

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
  • 1
    public static void abortJob() { list detailId=[select id FROM CronTrigger where (CronJobDetail.Name='myJobName' ) AND NextFireTime =null]; //line 212 Id jobId ; for (CronTrigger currentCron : detailId) { jobId = String.escapeSingleQuotes(currentCron.Id); } if (jobId !=null) { System.abortJob(jobId); Monitoring.scheduleJob(); } } – Gourav Saini Aug 24 '20 at 11:33