From 44dfc109e97f48d94221847346e7d5bba0f4c28d Mon Sep 17 00:00:00 2001 From: Stephen Carter Date: Wed, 18 Dec 2024 11:24:24 -0500 Subject: [PATCH] NEW(pmd): @W-17310939@: Add in 3 more AppExchange rules: AvoidApiSessionId, AvoidAuraWithLockerDisabled, AvoidDisableProtocolSecurity --- .../sfca/rulesets/AppExchange_xml.xml | 72 ++++++++++++++++--- .../AvoidApiSessionIdTest.java | 16 +++++ .../AvoidAuraWithLockerDisabledTest.java | 16 +++++ .../AvoidDisableProtocolSecurityTest.java | 16 +++++ .../appexchange_xml/xml/AvoidApiSessionId.xml | 58 +++++++++++++++ .../xml/AvoidAuraWithLockerDisabled.xml | 32 +++++++++ .../xml/AvoidDisableProtocolSecurity.xml | 32 +++++++++ .../AvoidInsecureHttpRemoteSiteSetting.xml | 14 ++-- .../code-analyzer-pmd-engine/src/constants.ts | 2 +- .../src/pmd-rule-mappings.ts | 15 ++++ .../rules_allLanguages.goldfile.json | 35 ++++++++- 11 files changed, 289 insertions(+), 19 deletions(-) create mode 100644 packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java create mode 100644 packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java create mode 100644 packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java create mode 100644 packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml create mode 100644 packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml create mode 100644 packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml index 9dbca504..90497845 100644 --- a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml @@ -5,23 +5,79 @@ xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd"> AppExchange Security Rules + + + + Detects use of Api.Session_ID or GETSESSIONID() to retrieve a session ID. + 2 + + + + + + + + + + + + Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater. + 1 + + + + + + + + + + + + Detects if "Disable Protocol Security" setting is true. + 3 + + + + + + + + + - - Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead. + + Detects instances of a Remote Site Settings that use HTTP. Use HTTPS instead. 3 + - - - + ]]> - - \ No newline at end of file diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java new file mode 100644 index 00000000..72c712ec --- /dev/null +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java @@ -0,0 +1,16 @@ +package sfca.rulesets.appexchange_xml; + +import net.sourceforge.pmd.test.SimpleAggregatorTst; + +public class AvoidApiSessionIdTest extends SimpleAggregatorTst { + @Override + protected void setUp() { + // The test data xml file for this rule's test will always be in the resources directory using a naming + // convention based off the package for this test and the rule being tested: + // "resources//xml/.xml". + // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test + // data xml file for this rule must be found at: + // "resource/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml" + addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidApiSessionId"); + } +} diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java new file mode 100644 index 00000000..34df3608 --- /dev/null +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java @@ -0,0 +1,16 @@ +package sfca.rulesets.appexchange_xml; + +import net.sourceforge.pmd.test.SimpleAggregatorTst; + +public class AvoidAuraWithLockerDisabledTest extends SimpleAggregatorTst { + @Override + protected void setUp() { + // The test data xml file for this rule's test will always be in the resources directory using a naming + // convention based off the package for this test and the rule being tested: + // "resources//xml/.xml". + // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test + // data xml file for this rule must be found at: + // "resource/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml" + addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidAuraWithLockerDisabled"); + } +} diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java new file mode 100644 index 00000000..c40e44be --- /dev/null +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java @@ -0,0 +1,16 @@ +package sfca.rulesets.appexchange_xml; + +import net.sourceforge.pmd.test.SimpleAggregatorTst; + +public class AvoidDisableProtocolSecurityTest extends SimpleAggregatorTst { + @Override + protected void setUp() { + // The test data xml file for this rule's test will always be in the resources directory using a naming + // convention based off the package for this test and the rule being tested: + // "resources//xml/.xml". + // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test + // data xml file for this rule must be found at: + // "resource/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml" + addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidDisableProtocolSecurity"); + } +} diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml new file mode 100644 index 00000000..6ad7254f --- /dev/null +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml @@ -0,0 +1,58 @@ + + + + + When custom object weblinks use GETSESSIONID(), then report violation + 1 + 6 + + + + + + {!REQUIRESCRIPT('/soap/ajax/26.0/connection.js')} + sforce.connection.sessionId = '{!GETSESSIONID()}'; + + + + ]]> + + + + When custom object weblinks use API.Session_Id, then report violation + 1 + 6 + + + + + + + /apex/something?id={!something__c.Id}&sessionId={!$Api.Session_ID}&instance={!$Api.Partner_Server_URL_260} + + + + ]]> + + + + When custom tab uses API.Session_Id, then report violation + 1 + 4 + + + + + https://test.example.com/dummy.ph?param1={!API.Enterprise_Server_URL_540}&sessionId={!API.Session_ID}&param2={!Organization.Name}&param3={!User.Email} + + + ]]> + + + \ No newline at end of file diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml new file mode 100644 index 00000000..d7eca006 --- /dev/null +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml @@ -0,0 +1,32 @@ + + + + + When AuraDefinitionBundle has version less than 40, then report violation + 1 + 3 + + + 39.0 + + + ]]> + + + + When AuraDefinitionBundle has version greater than 40, then do not report violation + 0 + + + 53.0 + + + ]]> + + + \ No newline at end of file diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml new file mode 100644 index 00000000..841b91a7 --- /dev/null +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml @@ -0,0 +1,32 @@ + + + + + When RemoteSite Setting Disable Protocol Security is true, then report violation + 1 + 3 + + + true + + + ]]> + + + + When RemoteSite Setting Disable Protocol Security is false, then do not report violation + 0 + + + false + + + ]]> + + + \ No newline at end of file diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml index 96213e75..0414c8c8 100644 --- a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml +++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml @@ -5,32 +5,28 @@ xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd"> - When url contains http then violation should be reported + When url contains http, then report violation 1 - 6 + 4 Avoid using insecure http urls in Remote Site Settings. - Used for Apex callout to mapping web service - false - true + http://www.maptestsite.net/mapping1 ]]> - When url contains https then violation should not be reported + When url contains https, then do not report violation 0 - Used for Apex callout to mapping web service - false - true + https://www.maptestsite.net/mapping1 ]]> diff --git a/packages/code-analyzer-pmd-engine/src/constants.ts b/packages/code-analyzer-pmd-engine/src/constants.ts index 4bb3ef15..df17229e 100644 --- a/packages/code-analyzer-pmd-engine/src/constants.ts +++ b/packages/code-analyzer-pmd-engine/src/constants.ts @@ -66,7 +66,7 @@ export const DEFAULT_FILE_EXTENSIONS: Record = { // helps to list the file extensions for each metadata type. For example, the RemoteSiteSettings page // https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_remotesitesetting.htm // specifies that .remoteSite is the file extension for remote site settings files. - '.remoteSite' + '.object', '.tab', '.remoteSite' ] } diff --git a/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts b/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts index 75ab4e5d..faba706b 100644 --- a/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts +++ b/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts @@ -398,6 +398,21 @@ export const RULE_MAPPINGS: Record