What does "use trusted input" means?

[Rogeriohsjr]

Hi There,

I am getting a message saying: "Ensure that DML operations against PermissionSetAssignment use trusted input." https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitPermissionSetAssignment.md

What does the "use trusted input." means?

I am not sure what is the issue, and here is my code:

  public PermissionSetAssignment assignPermissionSet(Id pPermissionSetId, Id pUserId) {
    PermissionSetAssignment psa = new PermissionSetAssignment(PermissionSetId = pPermissionSetId, AssigneeId = pUserId);
    return psa;
  }

The line code that is complaining is:

    PermissionSetAssignment psa = new PermissionSetAssignment(PermissionSetId = pPermissionSetId, AssigneeId = pUserId);

Thank in advanced!

[rrajaram-salesforce]

@Rogeriohsjr sorry about the delay in response This rule attempts to flag permissionset assignments that an administrator may not aware of; technically a new PermissionSetAssignment() is the first step for a follow up DML insert effectively assigning the permissionset to a user.

The permission set name or permission set Id or user Id should not be tainted input. I realize this is not necessarily a high confidence rule; this rule was built primarily for security reviewers to dig deep when the pattern is flagged to look for:

1. CRUD/FLS on the insert operation against PermissionSetAssignment
2. Check if the Permissionset name or Permission Set Id is tainted.

If you believe none of the conditions apply for your code, then feel free to mark this as a false +ve FYI - We have suppressed this rule in the new release so that we can turn this into a high confidence rule later

[Rogeriohsjr]

Thanks, I will update my sfdx scanner and see if that goes away or if I can suppress that.