Scribd Logo
Unggah

Selamat datang di Scribd!

  • Report a0W30000013QTZ7EAO

    Diunggah oleh

    Renato Campoy
    36 tayangan6 halaman
    The force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard controllers. When using custom apex classes, the built-in profile permissions and field-level security restrictions are not respected during execution.

    Deskripsi Asli:

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    The force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard controllers. When using custom apex classes, the built-in profile permissions and field-level security restrictions are not respected during execution.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    36 tayangan6 halaman

    Report a0W30000013QTZ7EAO

    Diunggah oleh

    Renato Campoy
    The force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard controllers. When using custom apex classes, the built-in profile permissions and field-level security restrictions are not respected during execution.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 6

    Summary

    Top 10 Files





    BACK TO TOP


    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]




    Copyright 2010 Checkmarx
    Description materials copyrighted by the National Cyber Security Division of the U.S. Department of Homeland Security and the MITRE Corporation.
    Checkmarx Report
    Project Name: c:\cxdata\s\sq_062227_2014_07_09_09_16_17
    Load Time: 7/9/2014 9:18:00 AM
    CxSuite Version: 6.2.7.2
    Problems by Queries Problems by Severity

    Problems by Impacts Problems by Files

    Query Group Problems found Severity
    Sharing ApexForcecomSeriousSecurityRisk 11

    File name Problems found
    unpackaged\classes\softphonesearchcontroller.cls 4
    unpackaged\pages\directcalljscontroller.page 1
    unpackaged\pages\directcallwebservice.page 1
    unpackaged\pages\directcallouvirligacoes.page 1
    unpackaged\pages\directcallextratochamadas.page 1
    unpackaged\pages\testdirectcall.page 1
    unpackaged\pages\democallcontrol.page 1
    unpackaged\pages\directcallobjectcontroller.page 1
    Access Control
    CWE ID 10505
    Description The Force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which
    users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard
    controllers. When using a custom Apex class, the built-in profile permissions and field-level security restrictions are
    not respected during execution. The default behavior is that an apex class has the ability to read and update all data
    with the organization. Because these rules are not enforced, developers who use Apex must take care that they do
    not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-
    level security, or organization-wide defaults. This is particularly true for Visualforce pages.
    Demonstrative
    Examples
    For example, consider the following Apex pseudo-code:


    In this case, all contact records will be searched, even if the user currently logged in would not normally have
    permission to view these records.
    public class customController {
    publicvoidread(){
    Contactcontact=[SelectidfromContactwhereName=:value]
    }
    }
    PotentialMitigations The solution is to use the qualifying keywords "with sharing" when declaring the class:


    The "with sharing" keyword directs the platform to using the security sharing permissions of the user currently logged
    in, rather than full access to everything.
    public with sharing class customController {
    ...
    }
    Reviewing For
    False
    Positives
    The following conditions may lead to false positives in the output of the report:
    l The source code scanner flags all locations where "with sharing" is not used in custom controllers and
    extensions to standard controllers called from VisualForce pages and web services. It does not understand the
    context of what the code is doing and the sensitivity of it. There may be locations where other mitigations are
    in place that prevent access to data beyond the "with sharing" keywords.
    References http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm
    Path 1:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" controller="SoftphoneSearchController">



    //democallcontrol.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 2:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallextratochamadas.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 3:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" standardStylesheets="false" sidebar="false"


    controller="SoftphoneSearchController">

    //directcalljscontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 4:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" controller="SoftphoneSearchController" action="!getLogin}"


    showHeader="false" standardStylesheets="false" sidebar="false">!dataLogin}

    //directcallobjectcontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 5:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallouvirligacoes.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 6:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" showHeader="false" standardStylesheets="false"


    sidebar="false" action="!doSearchService}" controller="SoftphoneSearchController">!retornoq}

    //directcallwebservice.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 7:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController" action="!getLogin}">



    //testdirectcall.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 8:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 9:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 10:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 11:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls









    Summary





    Top 10 Files





    BACK TO TOP


    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]




    Copyright 2010 Checkmarx
    Description materials copyrighted by the National Cyber Security Division of the U.S. Department of Homeland Security and the MITRE Corporation.
    Checkmarx Report
    Project Name: c:\cxdata\s\sq_062227_2014_07_09_09_16_17
    Load Time: 7/9/2014 9:18:00 AM
    CxSuite Version: 6.2.7.2
    Problems by Queries Problems by Severity

    Problems by Impacts Problems by Files

    Query Group Problems found Severity
    Sharing ApexForcecomSeriousSecurityRisk 11

    File name Problems found
    unpackaged\classes\softphonesearchcontroller.cls 4
    unpackaged\pages\directcalljscontroller.page 1
    unpackaged\pages\directcallwebservice.page 1
    unpackaged\pages\directcallouvirligacoes.page 1
    unpackaged\pages\directcallextratochamadas.page 1
    unpackaged\pages\testdirectcall.page 1
    unpackaged\pages\democallcontrol.page 1
    unpackaged\pages\directcallobjectcontroller.page 1
    Access Control
    CWE ID 10505
    Description The Force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which
    users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard
    controllers. When using a custom Apex class, the built-in profile permissions and field-level security restrictions are
    not respected during execution. The default behavior is that an apex class has the ability to read and update all data
    with the organization. Because these rules are not enforced, developers who use Apex must take care that they do
    not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-
    level security, or organization-wide defaults. This is particularly true for Visualforce pages.
    Demonstrative
    Examples
    For example, consider the following Apex pseudo-code:


    In this case, all contact records will be searched, even if the user currently logged in would not normally have
    permission to view these records.
    public class customController {
    publicvoidread(){
    Contactcontact=[SelectidfromContactwhereName=:value]
    }
    }
    PotentialMitigations The solution is to use the qualifying keywords "with sharing" when declaring the class:


    The "with sharing" keyword directs the platform to using the security sharing permissions of the user currently logged
    in, rather than full access to everything.
    public with sharing class customController {
    ...
    }
    Reviewing For
    False
    Positives
    The following conditions may lead to false positives in the output of the report:
    l The source code scanner flags all locations where "with sharing" is not used in custom controllers and
    extensions to standard controllers called from VisualForce pages and web services. It does not understand the
    context of what the code is doing and the sensitivity of it. There may be locations where other mitigations are
    in place that prevent access to data beyond the "with sharing" keywords.
    References http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm
    Path 1:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" controller="SoftphoneSearchController">



    //democallcontrol.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 2:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallextratochamadas.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 3:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" standardStylesheets="false" sidebar="false"


    controller="SoftphoneSearchController">

    //directcalljscontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 4:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" controller="SoftphoneSearchController" action="!getLogin}"


    showHeader="false" standardStylesheets="false" sidebar="false">!dataLogin}

    //directcallobjectcontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 5:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallouvirligacoes.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 6:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" showHeader="false" standardStylesheets="false"


    sidebar="false" action="!doSearchService}" controller="SoftphoneSearchController">!retornoq}

    //directcallwebservice.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 7:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController" action="!getLogin}">



    //testdirectcall.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 8:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 9:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 10:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 11:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls









    Summary





    Top 10 Files





    BACK TO TOP


    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]




    Copyright 2010 Checkmarx
    Description materials copyrighted by the National Cyber Security Division of the U.S. Department of Homeland Security and the MITRE Corporation.
    Checkmarx Report
    Project Name: c:\cxdata\s\sq_062227_2014_07_09_09_16_17
    Load Time: 7/9/2014 9:18:00 AM
    CxSuite Version: 6.2.7.2
    Problems by Queries Problems by Severity

    Problems by Impacts Problems by Files

    Query Group Problems found Severity
    Sharing ApexForcecomSeriousSecurityRisk 11

    File name Problems found
    unpackaged\classes\softphonesearchcontroller.cls 4
    unpackaged\pages\directcalljscontroller.page 1
    unpackaged\pages\directcallwebservice.page 1
    unpackaged\pages\directcallouvirligacoes.page 1
    unpackaged\pages\directcallextratochamadas.page 1
    unpackaged\pages\testdirectcall.page 1
    unpackaged\pages\democallcontrol.page 1
    unpackaged\pages\directcallobjectcontroller.page 1
    Access Control
    CWE ID 10505
    Description The Force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which
    users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard
    controllers. When using a custom Apex class, the built-in profile permissions and field-level security restrictions are
    not respected during execution. The default behavior is that an apex class has the ability to read and update all data
    with the organization. Because these rules are not enforced, developers who use Apex must take care that they do
    not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-
    level security, or organization-wide defaults. This is particularly true for Visualforce pages.
    Demonstrative
    Examples
    For example, consider the following Apex pseudo-code:


    In this case, all contact records will be searched, even if the user currently logged in would not normally have
    permission to view these records.
    public class customController {
    publicvoidread(){
    Contactcontact=[SelectidfromContactwhereName=:value]
    }
    }
    PotentialMitigations The solution is to use the qualifying keywords "with sharing" when declaring the class:


    The "with sharing" keyword directs the platform to using the security sharing permissions of the user currently logged
    in, rather than full access to everything.
    public with sharing class customController {
    ...
    }
    Reviewing For
    False
    Positives
    The following conditions may lead to false positives in the output of the report:
    l The source code scanner flags all locations where "with sharing" is not used in custom controllers and
    extensions to standard controllers called from VisualForce pages and web services. It does not understand the
    context of what the code is doing and the sensitivity of it. There may be locations where other mitigations are
    in place that prevent access to data beyond the "with sharing" keywords.
    References http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm
    Path 1:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" controller="SoftphoneSearchController">



    //democallcontrol.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 2:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallextratochamadas.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 3:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" standardStylesheets="false" sidebar="false"


    controller="SoftphoneSearchController">

    //directcalljscontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 4:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" controller="SoftphoneSearchController" action="!getLogin}"


    showHeader="false" standardStylesheets="false" sidebar="false">!dataLogin}

    //directcallobjectcontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 5:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallouvirligacoes.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 6:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" showHeader="false" standardStylesheets="false"


    sidebar="false" action="!doSearchService}" controller="SoftphoneSearchController">!retornoq}

    //directcallwebservice.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 7:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController" action="!getLogin}">



    //testdirectcall.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 8:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 9:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 10:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 11:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls









    Summary





    Top 10 Files





    BACK TO TOP


    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]




    Copyright 2010 Checkmarx
    Description materials copyrighted by the National Cyber Security Division of the U.S. Department of Homeland Security and the MITRE Corporation.
    Checkmarx Report
    Project Name: c:\cxdata\s\sq_062227_2014_07_09_09_16_17
    Load Time: 7/9/2014 9:18:00 AM
    CxSuite Version: 6.2.7.2
    Problems by Queries Problems by Severity

    Problems by Impacts Problems by Files

    Query Group Problems found Severity
    Sharing ApexForcecomSeriousSecurityRisk 11

    File name Problems found
    unpackaged\classes\softphonesearchcontroller.cls 4
    unpackaged\pages\directcalljscontroller.page 1
    unpackaged\pages\directcallwebservice.page 1
    unpackaged\pages\directcallouvirligacoes.page 1
    unpackaged\pages\directcallextratochamadas.page 1
    unpackaged\pages\testdirectcall.page 1
    unpackaged\pages\democallcontrol.page 1
    unpackaged\pages\directcallobjectcontroller.page 1
    Access Control
    CWE ID 10505
    Description The Force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which
    users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard
    controllers. When using a custom Apex class, the built-in profile permissions and field-level security restrictions are
    not respected during execution. The default behavior is that an apex class has the ability to read and update all data
    with the organization. Because these rules are not enforced, developers who use Apex must take care that they do
    not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-
    level security, or organization-wide defaults. This is particularly true for Visualforce pages.
    Demonstrative
    Examples
    For example, consider the following Apex pseudo-code:


    In this case, all contact records will be searched, even if the user currently logged in would not normally have
    permission to view these records.
    public class customController {
    publicvoidread(){
    Contactcontact=[SelectidfromContactwhereName=:value]
    }
    }
    PotentialMitigations The solution is to use the qualifying keywords "with sharing" when declaring the class:


    The "with sharing" keyword directs the platform to using the security sharing permissions of the user currently logged
    in, rather than full access to everything.
    public with sharing class customController {
    ...
    }
    Reviewing For
    False
    Positives
    The following conditions may lead to false positives in the output of the report:
    l The source code scanner flags all locations where "with sharing" is not used in custom controllers and
    extensions to standard controllers called from VisualForce pages and web services. It does not understand the
    context of what the code is doing and the sensitivity of it. There may be locations where other mitigations are
    in place that prevent access to data beyond the "with sharing" keywords.
    References http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm
    Path 1:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" controller="SoftphoneSearchController">



    //democallcontrol.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 2:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallextratochamadas.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 3:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" standardStylesheets="false" sidebar="false"


    controller="SoftphoneSearchController">

    //directcalljscontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 4:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" controller="SoftphoneSearchController" action="!getLogin}"


    showHeader="false" standardStylesheets="false" sidebar="false">!dataLogin}

    //directcallobjectcontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 5:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallouvirligacoes.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 6:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" showHeader="false" standardStylesheets="false"


    sidebar="false" action="!doSearchService}" controller="SoftphoneSearchController">!retornoq}

    //directcallwebservice.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 7:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController" action="!getLogin}">



    //testdirectcall.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 8:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 9:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 10:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 11:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls









    Summary





    Top 10 Files





    BACK TO TOP


    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]




    Copyright 2010 Checkmarx
    Description materials copyrighted by the National Cyber Security Division of the U.S. Department of Homeland Security and the MITRE Corporation.
    Checkmarx Report
    Project Name: c:\cxdata\s\sq_062227_2014_07_09_09_16_17
    Load Time: 7/9/2014 9:18:00 AM
    CxSuite Version: 6.2.7.2
    Problems by Queries Problems by Severity

    Problems by Impacts Problems by Files

    Query Group Problems found Severity
    Sharing ApexForcecomSeriousSecurityRisk 11

    File name Problems found
    unpackaged\classes\softphonesearchcontroller.cls 4
    unpackaged\pages\directcalljscontroller.page 1
    unpackaged\pages\directcallwebservice.page 1
    unpackaged\pages\directcallouvirligacoes.page 1
    unpackaged\pages\directcallextratochamadas.page 1
    unpackaged\pages\testdirectcall.page 1
    unpackaged\pages\democallcontrol.page 1
    unpackaged\pages\directcallobjectcontroller.page 1
    Access Control
    CWE ID 10505
    Description The Force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which
    users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard
    controllers. When using a custom Apex class, the built-in profile permissions and field-level security restrictions are
    not respected during execution. The default behavior is that an apex class has the ability to read and update all data
    with the organization. Because these rules are not enforced, developers who use Apex must take care that they do
    not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-
    level security, or organization-wide defaults. This is particularly true for Visualforce pages.
    Demonstrative
    Examples
    For example, consider the following Apex pseudo-code:


    In this case, all contact records will be searched, even if the user currently logged in would not normally have
    permission to view these records.
    public class customController {
    publicvoidread(){
    Contactcontact=[SelectidfromContactwhereName=:value]
    }
    }
    PotentialMitigations The solution is to use the qualifying keywords "with sharing" when declaring the class:


    The "with sharing" keyword directs the platform to using the security sharing permissions of the user currently logged
    in, rather than full access to everything.
    public with sharing class customController {
    ...
    }
    Reviewing For
    False
    Positives
    The following conditions may lead to false positives in the output of the report:
    l The source code scanner flags all locations where "with sharing" is not used in custom controllers and
    extensions to standard controllers called from VisualForce pages and web services. It does not understand the
    context of what the code is doing and the sensitivity of it. There may be locations where other mitigations are
    in place that prevent access to data beyond the "with sharing" keywords.
    References http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm
    Path 1:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" controller="SoftphoneSearchController">



    //democallcontrol.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 2:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallextratochamadas.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 3:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" standardStylesheets="false" sidebar="false"


    controller="SoftphoneSearchController">

    //directcalljscontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 4:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" controller="SoftphoneSearchController" action="!getLogin}"


    showHeader="false" standardStylesheets="false" sidebar="false">!dataLogin}

    //directcallobjectcontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 5:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallouvirligacoes.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 6:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" showHeader="false" standardStylesheets="false"


    sidebar="false" action="!doSearchService}" controller="SoftphoneSearchController">!retornoq}

    //directcallwebservice.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 7:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController" action="!getLogin}">



    //testdirectcall.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 8:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 9:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 10:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 11:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls









    Summary





    Top 10 Files





    BACK TO TOP


    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]



    [Table of Contents] [Description]




    Copyright 2010 Checkmarx
    Description materials copyrighted by the National Cyber Security Division of the U.S. Department of Homeland Security and the MITRE Corporation.
    Checkmarx Report
    Project Name: c:\cxdata\s\sq_062227_2014_07_09_09_16_17
    Load Time: 7/9/2014 9:18:00 AM
    CxSuite Version: 6.2.7.2
    Problems by Queries Problems by Severity

    Problems by Impacts Problems by Files

    Query Group Problems found Severity
    Sharing ApexForcecomSeriousSecurityRisk 11

    File name Problems found
    unpackaged\classes\softphonesearchcontroller.cls 4
    unpackaged\pages\directcalljscontroller.page 1
    unpackaged\pages\directcallwebservice.page 1
    unpackaged\pages\directcallouvirligacoes.page 1
    unpackaged\pages\directcallextratochamadas.page 1
    unpackaged\pages\testdirectcall.page 1
    unpackaged\pages\democallcontrol.page 1
    unpackaged\pages\directcallobjectcontroller.page 1
    Access Control
    CWE ID 10505
    Description The Force.com platform makes extensive use of data sharing rules. Each object can have unique permissions for which
    users and profiles can read, create, edit, and delete. These restrictions are enforced when using all standard
    controllers. When using a custom Apex class, the built-in profile permissions and field-level security restrictions are
    not respected during execution. The default behavior is that an apex class has the ability to read and update all data
    with the organization. Because these rules are not enforced, developers who use Apex must take care that they do
    not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-
    level security, or organization-wide defaults. This is particularly true for Visualforce pages.
    Demonstrative
    Examples
    For example, consider the following Apex pseudo-code:


    In this case, all contact records will be searched, even if the user currently logged in would not normally have
    permission to view these records.
    public class customController {
    publicvoidread(){
    Contactcontact=[SelectidfromContactwhereName=:value]
    }
    }
    PotentialMitigations The solution is to use the qualifying keywords "with sharing" when declaring the class:


    The "with sharing" keyword directs the platform to using the security sharing permissions of the user currently logged
    in, rather than full access to everything.
    public with sharing class customController {
    ...
    }
    Reviewing For
    False
    Positives
    The following conditions may lead to false positives in the output of the report:
    l The source code scanner flags all locations where "with sharing" is not used in custom controllers and
    extensions to standard controllers called from VisualForce pages and web services. It does not understand the
    context of what the code is doing and the sensitivity of it. There may be locations where other mitigations are
    in place that prevent access to data beyond the "with sharing" keywords.
    References http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_keywords_sharing.htm
    Path 1:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" controller="SoftphoneSearchController">



    //democallcontrol.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 2:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallextratochamadas.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 3:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page showHeader="false" standardStylesheets="false" sidebar="false"


    controller="SoftphoneSearchController">

    //directcalljscontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 4:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" controller="SoftphoneSearchController" action="!getLogin}"


    showHeader="false" standardStylesheets="false" sidebar="false">!dataLogin}

    //directcallobjectcontroller.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 5:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController">

    //directcallouvirligacoes.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 6:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page contentType="application/x-JavaScript; charset=utf-8" showHeader="false" standardStylesheets="false"


    sidebar="false" action="!doSearchService}" controller="SoftphoneSearchController">!retornoq}

    //directcallwebservice.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 7:
    Query Name - Sharing
    Severity
    - Serious
    1.

    <apex:page controller="SoftphoneSearchController" action="!getLogin}">



    //testdirectcall.page

    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 8:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 9:
    Query Name - Sharing
    Severity
    - Serious
    218.

    webService static String getTokenService(String client_id, String client_secret) //softphonesearchcontroller.cls

    ...
    220. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 10:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Path 11:
    Query Name - Sharing
    Severity
    - Serious
    327.

    webService static String unificaExtrato(String endpoint, String access_token, String data_inicial, String data_final,
    String numeroOrigem, String numeroDestino)

    //softphonesearchcontroller.cls

    ...
    335. SoftphoneSearchController obj = new SoftphoneSearchController();
    1.

    global class SoftphoneSearchController //softphonesearchcontroller.cls

    Anda mungkin juga menyukai