Affects PMD Version: 6.18.0
Rule: ApexCSRF
Description:
VisualForce Page fails when a controller's constructor executes DML queries. Salesforce seems to already protect against CSRF attacks.
Maybe I am missing something but there seems to be no security vulnerability, so this would be a False Positive.
However the page fails so reporting an issue still makes sense. What about reporting DML in constructors as "Error Prone" instead of "Security" issues?
Code Sample demonstrating the issue:
1/ Create the two following files in a Salesforce developer console
// File ApexCSRF_FP.cls
public class ApexCSRF_FP {
public ApexCSRF_FP() { // issue raised here
List<Task> tasks = [Select Id, Subject FROM Task];
for (Task t : tasks) {
t.subject = 'test';
}
update tasks;
}
public List<Task> getValue() {
return [Select Id, Subject FROM Task];
}
}
// File ApexCSRF_FP.vfp
<apex:page controller="MyVisualForcePageController">
<apex:pageBlock>
<apex:pageBlockTable value="{! value }" var="val">
<apex:column value="{! val.Id }"/>
<apex:column value="{! val.Subject }"/>
</apex:pageBlockTable>
</apex:pageBlock>
</apex:page>
2/ On the ApexCSRF_FP.vfp page click on the "preview" button.
The following message appears instead of the new page:
DML currently not allowed
An unexpected error has occurred. Your development organization has been notified.
3/ Comment update tasks; and the page will load properly.
This was tested with Salesforce API version 42 and 46.
Running PMD through: CLI
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4