Lehel44 commented on code in PR #6794:
URL: https://github.com/apache/nifi/pull/6794#discussion_r1072970089
##########
nifi-nar-bundles/nifi-salesforce-bundle/nifi-salesforce-processors/src/main/java/org/apache/nifi/processors/salesforce/QuerySalesforceObject.java:
##########
@@ -106,13 +113,54 @@
@DefaultSchedule(strategy = SchedulingStrategy.TIMER_DRIVEN, period = "1 min")
public class QuerySalesforceObject extends AbstractProcessor {
+ static final AllowableValue QUERY_PARAMETERS = new
AllowableValue("query-parameters", "Query Parameters", "Provide query by
parameters.");
Review Comment:
I agree with the naming. About the SQL Injection I found this in Salesforce
docs. I think the room for injection is still there but Salesforce argues it's
the user's responsibility by setting the right permissions for everything. What
do you think?
"SOQL INJECTION and APIs
The REST and SOAP APIs allow end users to submit arbitrary SOQL strings.
However, this does not lead to SOQL injection because the APIs include built in
checks for sharing and CRUD/FLS permissions. This means that end users are only
allowed to see or modify records and fields that they already have access to.
On the other hand, when making SOQL calls in Apex Code, no CRUD/FLS checks are
performed (and sharing checks are only performed if the 'with sharing' keyword
is used). Therefore it is a serious security vulnerability to allow end users
to control the contents of a SOQL query issued in Apex code, but not for end
users to control the contents of a SOQL query via the API."
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
