[BUG] InternalExecutionError - Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. #1582
Have you tried to resolve this issue yourself first?
Yes
Bug Description
Hello.
Among the defects in ApexFlsViolationRule, we have field(is) [Unknown] even after checking field permissions.
In case a defect occurs
We are checking permissions once again using stripInaccessible().
ex)Security.stripInaccessible(AccessType.READABLE, recordList)
however
If Security.stripInaccessible() is applied to the recordList loaded through Database.query(), the following defect occurs.
[[ Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.MethodCallExpressionVertex cannot be cast to class com.salesforce.graph.vertex.SoqlExpressionVertex (com.salesforce.graph.vertex.MethodCallExpressionVertex and com.salesforce.graph.vertex.SoqlExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.buildSanitizedValue(SObjectAccessDecision.java:171);com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.executeMethod(SObjectAccessDecision.java:112);com.salesforce.graph.symbols.PathScopeVisitor.afterMethodCall(PathScopeVisitor.java:659);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:318);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532) ]]
Below is our code situation.
String branchId = String.escapeSingleQuotes((String) reqData.get('branchId'));
String oem = 'OEM'
// Required 1. Branch
whereClause += ' AND Branch__c =: branchId ';
// Required 2. RecordType (OEM)
whereClause += ' AND PartsOrder__r.RecordType.DeveloperName =: oem ' + '\n';
// Option 1. Product Code
if(I2ComHelper.gfnHasCondition(reqData, 'partCode') && Util.isNotEmpty((String) reqData.get('partCode'))) {
final String partCode = '%' + String.escapeSingleQuotes((String) reqData.get('partCode') + '%');
whereClause += ' AND fm_ProductCode__c LIKE :partCode' + '\n';
}
// Option 2. Product Name
if(I2ComHelper.gfnHasCondition(reqData, 'partName') && Util.isNotEmpty((String) reqData.get('partName'))) {
final String partName = '%' + String.escapeSingleQuotes((String) reqData.get('partName')) + '%';
whereClause += ' AND fm_ProductName__c LIKE :partName' + '\n';
}
// where Clause
whereClause = I2ComHelper.gfnRefineCondition(whereClause); // WHERE + AND
List<String> fieldList = new List<String>();
// Parts Master
fieldList.add('Product__c');
fieldList.add('Product__r.ProductCode');
fieldList.add('Product__r.Name');
// Parts Order
fieldList.add('PartsOrder__c');
fieldList.add('PartsOrder__r.Status__c');
// Parts Order Line Item
fieldList.add('Id');
fieldList.add('OrderLineNo__c');
fieldList.add('Branch__c');
fieldList.add('QuantityRequested__c');
fieldList.add('Result__c');
String fields = String.join(fieldList, ',');
String query = 'SELECT ';
query += fields;
query += ' FROM ' + ServiceConst.PARTS_ORDER_LINE_ITEM;
if(Util.isNotEmpty(whereClause)) query += whereClause;
List<PartsOrderLineItem__c> allPartsOrderLineItems = Database.query(String.escapeSingleQuotes(query), AccessLevel.USER_MODE);
// allPartsOrderLineItems FLS Check
SObjectAccessDecision decisionOrderLineItems = Security.stripInaccessible(AccessType.READABLE, allPartsOrderLineItems);
allPartsOrderLineItems = (List<PartsOrderLineItem__c>) decisionOrderLineItems.getRecords();
// allPartsOrderLineItems FLS Check
Without this comment line field(is) [Unknown] will result in a fault and
Applying Security.stripInaccessible() causes the flaw I wrote about earlier.
The defect does not occur in the recordList imported using general SOQL, but the defect occurs in all records imported using Database.query(). Is there a good solution??
Output / Logs
Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.MethodCallExpressionVertex cannot be cast to class com.salesforce.graph.vertex.SoqlExpressionVertex (com.salesforce.graph.vertex.MethodCallExpressionVertex and com.salesforce.graph.vertex.SoqlExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.buildSanitizedValue(SObjectAccessDecision.java:171);com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.executeMethod(SObjectAccessDecision.java:112);com.salesforce.graph.symbols.PathScopeVisitor.afterMethodCall(PathScopeVisitor.java:659);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:318);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532)
Steps To Reproduce
field(is) [Unknown] to avoid defects
Security.stripInaccessible() was used.
Expected Behavior
field(is) [Unknown] Is it better to end with a flaw?
Please explain whether it is a good idea to handle the above defect.
Operating System
Windows 11 Pro / 23H2 / 22631.4037
Salesforce CLI Version
@salesforce/cli/2.53.6 win32-x64 node-v20.11.1
Code Analyzer Plugin (@salesforce/sfdx-scanner) Version
Have you tried to resolve this issue yourself first?
Yes
Bug Description
Hello. Among the defects in ApexFlsViolationRule, we have field(is) [Unknown] even after checking field permissions. In case a defect occurs We are checking permissions once again using stripInaccessible(). ex)Security.stripInaccessible(AccessType.READABLE, recordList)
however If Security.stripInaccessible() is applied to the recordList loaded through Database.query(), the following defect occurs.
[[ Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.MethodCallExpressionVertex cannot be cast to class com.salesforce.graph.vertex.SoqlExpressionVertex (com.salesforce.graph.vertex.MethodCallExpressionVertex and com.salesforce.graph.vertex.SoqlExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.buildSanitizedValue(SObjectAccessDecision.java:171);com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.executeMethod(SObjectAccessDecision.java:112);com.salesforce.graph.symbols.PathScopeVisitor.afterMethodCall(PathScopeVisitor.java:659);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:318);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532) ]]
Below is our code situation.
// allPartsOrderLineItems FLS Check
Without this comment line field(is) [Unknown] will result in a fault and Applying Security.stripInaccessible() causes the flaw I wrote about earlier.
The defect does not occur in the recordList imported using general SOQL, but the defect occurs in all records imported using Database.query(). Is there a good solution??
Output / Logs
Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.MethodCallExpressionVertex cannot be cast to class com.salesforce.graph.vertex.SoqlExpressionVertex (com.salesforce.graph.vertex.MethodCallExpressionVertex and com.salesforce.graph.vertex.SoqlExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.buildSanitizedValue(SObjectAccessDecision.java:171);com.salesforce.graph.symbols.apex.system.SObjectAccessDecision.executeMethod(SObjectAccessDecision.java:112);com.salesforce.graph.symbols.PathScopeVisitor.afterMethodCall(PathScopeVisitor.java:659);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:318);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532)
Steps To Reproduce
field(is) [Unknown] to avoid defects Security.stripInaccessible() was used.
Expected Behavior
field(is) [Unknown] Is it better to end with a flaw? Please explain whether it is a good idea to handle the above defect.
Operating System
Windows 11 Pro / 23H2 / 22631.4037
Salesforce CLI Version
@salesforce/cli/2.53.6 win32-x64 node-v20.11.1
Code Analyzer Plugin (@salesforce/sfdx-scanner) Version
@salesforce/sfdx-scanner 4.4.0
Java Version
openjdk version "11.0.17" 2022-10-18 LTS
Additional Context (Screenshots, Files, etc)
No response
Workaround
No response
Urgency
High