search

forcedotcom / sfdx-scanner

MIT License
212 stars 49 forks source link

[BUG] InternalExecutionError - Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. #1582

Closed OrangeHarry closed 3 weeks ago

OrangeHarry commented 4 weeks ago

Have you tried to resolve this issue yourself first?

Yes

Bug Description

Hello. Among the defects in ApexFlsViolationRule, we have field(is) [Unknown] even after checking field permissions. In case a defect occurs We are checking permissions once again using stripInaccessible(). ex)Security.stripInaccessible(AccessType.READABLE, recordList)

however If Security.stripInaccessible() is applied to the recordList loaded through Database.query(), the following defect occurs.

[[ Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.MethodCallExpressionVertex cannot be cast to class com.salesforce.graph.vertex.SoqlExpressionVertex (com.salesforce.graph.vertex.MethodCallExpressionVertex and com.salesforce.graph.vertex.SoqlExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.buildSanitizedValue(SObjectAccessDecision.java:171);com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.executeMethod(SObjectAccessDecision.java:112);com.salesforce.graph.symbols.PathScopeVisitor.afterMethodCall(PathScopeVisitor.java:659);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:318);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532) ]]

Below is our code situation.

    String branchId = String.escapeSingleQuotes((String) reqData.get('branchId'));
    String oem = 'OEM'

    // Required 1. Branch
    whereClause += ' AND Branch__c =: branchId ';
    // Required 2. RecordType (OEM)
    whereClause += ' AND PartsOrder__r.RecordType.DeveloperName =: oem ' + '\n';

    // Option 1. Product Code
    if(I2ComHelper.gfnHasCondition(reqData, 'partCode') && Util.isNotEmpty((String) reqData.get('partCode'))) {
        final String partCode = '%' + String.escapeSingleQuotes((String) reqData.get('partCode') + '%');
        whereClause += ' AND  fm_ProductCode__c LIKE :partCode' + '\n';
    }
    // Option 2. Product Name
    if(I2ComHelper.gfnHasCondition(reqData, 'partName') && Util.isNotEmpty((String) reqData.get('partName'))) {
        final String partName = '%' + String.escapeSingleQuotes((String) reqData.get('partName')) + '%';
        whereClause += ' AND fm_ProductName__c LIKE :partName'  + '\n';
    }

    // where Clause 
    whereClause = I2ComHelper.gfnRefineCondition(whereClause); // WHERE + AND

    List<String> fieldList = new List<String>();

    // Parts Master
    fieldList.add('Product__c');
    fieldList.add('Product__r.ProductCode');
    fieldList.add('Product__r.Name');

    // Parts Order
    fieldList.add('PartsOrder__c');
    fieldList.add('PartsOrder__r.Status__c');

    // Parts Order Line Item
    fieldList.add('Id');
    fieldList.add('OrderLineNo__c');
    fieldList.add('Branch__c');
    fieldList.add('QuantityRequested__c');
    fieldList.add('Result__c');

    String fields = String.join(fieldList, ',');

    String query = 'SELECT ';
    query += fields;
    query += ' FROM ' + ServiceConst.PARTS_ORDER_LINE_ITEM;
    if(Util.isNotEmpty(whereClause)) query += whereClause;
    List<PartsOrderLineItem__c> allPartsOrderLineItems = Database.query(String.escapeSingleQuotes(query), AccessLevel.USER_MODE);

    // allPartsOrderLineItems FLS Check
    SObjectAccessDecision decisionOrderLineItems = Security.stripInaccessible(AccessType.READABLE, allPartsOrderLineItems);
    allPartsOrderLineItems = (List<PartsOrderLineItem__c>) decisionOrderLineItems.getRecords();

// allPartsOrderLineItems FLS Check

Without this comment line field(is) [Unknown] will result in a fault and Applying Security.stripInaccessible() causes the flaw I wrote about earlier.

The defect does not occur in the recordList imported using general SOQL, but the defect occurs in all records imported using Database.query(). Is there a good solution??

Output / Logs

Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.MethodCallExpressionVertex cannot be cast to class com.salesforce.graph.vertex.SoqlExpressionVertex (com.salesforce.graph.vertex.MethodCallExpressionVertex and com.salesforce.graph.vertex.SoqlExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.buildSanitizedValue(SObjectAccessDecision.java:171);com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.executeMethod(SObjectAccessDecision.java:112);com.salesforce.graph.symbols.PathScopeVisitor.afterMethodCall(PathScopeVisitor.java:659);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:318);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532)

Steps To Reproduce

field(is) [Unknown] to avoid defects Security.stripInaccessible() was used.

Expected Behavior

field(is) [Unknown] Is it better to end with a flaw? Please explain whether it is a good idea to handle the above defect.

Operating System

Windows 11 Pro / 23H2 / 22631.4037

Salesforce CLI Version

@salesforce/cli/2.53.6 win32-x64 node-v20.11.1

Code Analyzer Plugin (@salesforce/sfdx-scanner) Version

@salesforce/sfdx-scanner 4.4.0

Java Version

openjdk version "11.0.17" 2022-10-18 LTS

Additional Context (Screenshots, Files, etc)

No response

Workaround

No response

Urgency

High

stephen-carter-at-sf commented 3 weeks ago

Duplicate of 1497.