Open sughodke opened 5 years ago
Yes, it's currently up to a user to safeguard queries. Parameterized search works for search but Query would require another solution.
I'm currently working on a brand new version of nforce and this is something I may tackle.
I'm a fan of the way node-postgres
does it and may implement something similar. https://node-postgres.com/features/queries#parameterized-query
Salesforce has a REST API to search for a resource using parameterized variables, parameterizedSearch.
https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/resources_search_parameterized.htm
This would really help in safeguarding against injection attacks -- as in this contrived example below. Where
route.id
could be written in a malicious way.Alternatively, SOQL seems to have "bind variables" for static queries. See https://trailhead.salesforce.com/en/content/learn/modules/secdev_injection_vulnerabilities/secdev_inject_prevent_soql_injection?trail_id=security_developer