Automate your code reviews!
Codacy is 100% free for open source projects.
Get started for free!
Last updated: 2017-08-09T21:14:21.384Z
Authentication is present in almost all web applications nowadays.
You need to enable the following patterns for this category to be verified
Suggest named credentials for authentication
Hardcoded password default
Hardcoded password string
Password config option not marked secret
Hardcoded password funcarg
Execute with run as root equals true
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
Avoid calling VF action upon page load
Avoid making DML operations in Apex class constructor/init method
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system.
Start process with partial path
Any other function with shell equals true
Start process with a shell
Subprocess without shell equals true
Subprocess popen with shell equals true
Start process with no shell
Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.
Apex classes should use random IV/key
Weak cryptographic key
An attacker may use special paths to access files that should not be accessible.
Avoid hardcoding paths to temporary files
Set bad file permissions
HTTP headers are a common attack vector for malign users.
Input not validated may originate SQL Injection attacks for instance.
Validate CRUD permission before SOQL/DML operation
Avoid unescaped user controlled content in EL
Xml bad cElementTree
Xml bad minidom
Xml bad sax
Xml bad etree
Xml bad expatreader
Xml bad expatbuilder
Linux commands wildcard injection
Xml bad ElementTree
Xml bad pulldom
Consider possible security implications associated with some modules.
Calling potentially dangerous method
Apex classes should declare a sharing model if DML or SOQL/SOSL is used
Import xml sax
Import xml etree
Import xml pulldom
Import xml minidom
Import xml expat
Other language specific security issues.
Try except pass
Try except continue
Hardcoded bind all interfaces
Flask debug true
Badly configured routes can give unintended access to an attacker.
Apex classes should safely redirect to a known location
Apex callouts should use encrypted communication channels
A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.
Avoid untrusted/unescaped variables in DML query
Hardcoded sql expressions
Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle attacks are well known and widely used.
Request with no cert validation
Ssl with no version
Ssl with bad version
Ssl with bad defaults
XSS enables attackers to inject client-side scripts into web pages viewed by other users.
Apex classes should escape/sanitize Strings obtained from URL parameters
Apex classes should escape Strings in error messages
Use of mako templates
Jinja2 autoescape false