Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Facing graph Engine error in DFA report #1702

Open
keshav-ksolves opened this issue Dec 24, 2024 · 14 comments
Open

Facing graph Engine error in DFA report #1702

keshav-ksolves opened this issue Dec 24, 2024 · 14 comments
Labels
BUG P3 Rarely Malfunction SFGE Issues related to the Salesforce Graph Engine

Comments

@keshav-ksolves
Copy link

Have you tried to resolve this issue yourself first?

Yes

Bug Description

We are encountering an error in the DFA report, which is necessary to get resolved for submitting our application for the Salesforce security review. The error message is as follows:

"Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: IndexOutOfBoundsException: Index 2 out of bounds for length 2: java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64);java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70);java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248);java.base/java.util.Objects.checkIndex(Objects.java:374);java.base/java.util.ArrayList.get(ArrayList.java:459);java.base/java.util.Collections$UnmodifiableList.get(Collections.java:1310)"

Output / Logs

No response

Steps To Reproduce

Steps to reproduce the behavior:
Open VS Code
Execute the following command:
sf scanner run dfa --format csv --outfile CodeAnalyzerDFA.csv --target ./ --projectdir ./ --category Security

Expected Behavior

We need to submit our app for security review, we need to confirm whether this error will not affect our security review process.

Operating System

Ubuntu 22.04.3

Salesforce CLI Version

@salesforce/cli/2.70.7 linux-x64 node-v22.11.0

Code Analyzer Plugin (@salesforce/sfdx-scanner) Version

@salesforce/sfdx-scanner 4.2.0 (latest-beta)

Additional Context (Screenshots, Files, etc)

No response

Workaround

No response

Urgency

Critical

@stephen-carter-at-sf
Copy link
Collaborator

Duplicate of #1497

@stephen-carter-at-sf stephen-carter-at-sf marked this as a duplicate of #1497 Dec 26, 2024
@stephen-carter-at-sf stephen-carter-at-sf closed this as not planned Won't fix, can't repro, duplicate, stale Dec 26, 2024
@keshav-ksolves
Copy link
Author

@stephen-carter-at-sf - Could you please mention here, is this issue a blocker for security review?

@jfeingold35
Copy link
Collaborator

@keshav-ksolves , no. You can document this the same way you document any other false positive.

@keshav-ksolves
Copy link
Author

@jfeingold35 - Thanks for the response. Could you please also mention the possible causes so that I can mention in the false positive report.

@jfeingold35
Copy link
Collaborator

@keshav-ksolves , short version: we're encountering an IndexOutOfBoundsException while we're traversing one of the paths in your codebase, which is almost certainly our fault, not yours. I'm not sure where exactly it's coming from, though, and can't necessarily provide more information without looking at your logs or the code itself.

@keshav-ksolves
Copy link
Author

Hi @jfeingold35 - Sure, attaching the logs for you
sfge-12-24-2024-1.log.gz

@jfeingold35
Copy link
Collaborator

Hm. It looks like there's a few different places where this is being caused.
Could you show me the ternary expression at line 72 of AudioPlayerController.cls? That seems like it might be one of them.

@keshav-ksolves
Copy link
Author

Sure @jfeingold35

``
@AuraEnabled
public static void updateCallRecordDuration(String recordId) {

        CallHistory__c callHistory = recordId;
        if(callHistory.RecordingDuration__c == null || callHistory.RecordingDuration__c <= 0  && callHistory.RecordingURL__c != null) {
            String BASE_URL = callHistory.RecordingURL__c.split('.mp3')[0]+'.json';
            CTI_Provider__c twilioCreds = (!Test.isRunningTest()) ? CallHistorySelector.getCredsOfCurrentUser() : new CTI_Provider__c();

            String API_KEY_SID = twilioCreds?.API_Key__c;
            String API_KEY_SECRET = twilioCreds?.API_Secret__c;

            HttpRequest req = new HttpRequest();
            req.setEndpoint(BASE_URL);
            req.setMethod('GET');
            req.setHeader('Authorization', 'Basic ' + EncodingUtil.base64Encode(Blob.valueOf(API_KEY_SID + ':' + API_KEY_SECRET)));
            req.setHeader('Content-Type', 'application/x-www-form-urlencoded');

            Http http = new Http();
            HttpResponse res = http.send(req);

            if (res.getStatusCode() == 200) {
                Map<String, Object> responseMap = (Map<String, Object>) JSON.deserializeUntyped(res.getBody());
                callHistory.RecordingDuration__c = Double.valueOf(responseMap.get('duration'));
                DatabaseUtility.secureDML(AccessType.UPDATABLE, callHistory);
            } else {
                throw new CallRecordingController.RecordingException('Failed to update call record duration.');              
            }
        }

``

And below is the code of CallHistorySelector.getCredsOfCurrentUser()

public static Object__c getCredsOfCurrentUser() { String currentUser = UserInfo.getUserId(); String identity = [SELECT PhoneNumber__r.Phone__c FROM abc__c WHERE User__c =:currentUser WITH SECURITY_ENFORCED LIMIT 1]?.PhoneNumber__r.Phone__c ?? null; String friendlyName = identity != null ? [SELECT ProviderFriendlyName__c FROM PhoneNumber__c WHERE Phone__c =:identity WITH SECURITY_ENFORCED LIMIT 1]?.ProviderFriendlyName__c : null; return friendlyName != null ? [SELECT Account_SID__c, API_Key__c, API_Secret__c, Application_SID__c FROM Object__c WHERE Name =:friendlyName AND Is_Active__c = true WITH SECURITY_ENFORCED LIMIT 1] ?? null : null; }

@jfeingold35
Copy link
Collaborator

Thanks. We'll see if we can use this to reproduce it, and we'll let you know.

@keshav-ksolves
Copy link
Author

Sure @jfeingold35 , will be waiting for your response

@jfeingold35
Copy link
Collaborator

@keshav-ksolves , thank you. It looks like the problem is the syntax you're using in getCredsOfCurrentUser. Graph Engine appears unable to resolve the null coalescing and ?. accessors you're using.
If you rewrite it to something like this:

public static Object__c getCredsOfCurrentUser() {
		String currentUser = UserInfo.getUserId();
		abc__c u = [SELECT PhoneNumber__r.Phone__c from abc__c WHERE User__c =: currentUser WITH SECURITY_ENFORCED LIMIT 1];
		String identity = u != null ? u.PhoneNumber__r.Phone__c : null;
		PhoneNumber__c phone = [SELECT ProviderFriendlyName__c FROM PhoneNumber__c WHERE Phone__c = : identity WITH SECURITY_ENFORCED LIMIT 1];
		String friendlyName = phone != null ? phone.ProviderFriendlyName__c : null;
		if (friendlyName != null) {
			Object__c o = [SELECT Account_SID__c, API_Key__c, API_Secret__c, Application_SID__c FROM Object__c WHERE Name =: friendlyName AND Is_Active__c = true WITH SECURITY_ENFORCED LIMIT 1];
			return o != null ? o : null;
		} else {
			return null;
		}
	}

then I believe it should resolve the issue, at least for now.

@jfeingold35 jfeingold35 reopened this Dec 27, 2024
@jfeingold35 jfeingold35 added the BUG P3 Rarely Malfunction label Dec 27, 2024
Copy link

git2gus bot commented Dec 27, 2024

This issue has been linked to a new work item: W-17506930

@keshav-ksolves
Copy link
Author

Thanks for your response @jfeingold35, I will try your appaorch. Though this error is occuring at multiple places
So, can we avoid this for now and mention this thread in false positive report, I need to submit it as soon as possible.

@jfeingold35
Copy link
Collaborator

@keshav-ksolves , yeah, if you want to skip the refactor for now and just document all instances of this error as false positives in your report, that should be fine.

@stephen-carter-at-sf stephen-carter-at-sf added the SFGE Issues related to the Salesforce Graph Engine label Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
BUG P3 Rarely Malfunction SFGE Issues related to the Salesforce Graph Engine
Projects
None yet
Development

No branches or pull requests

3 participants