[fix] Security Hardening: Fix SOQL Injection & XSS Vulnerabilities, Update API to v65 (#184)

* Upgrade api version to 65

* Create test suite to quickly run all package tests

* Fix SOQL Injection Vulnerability

* Remove sobject parameter deduced from recordId

* fix issues with jsEncode

* Update VSCode settings and change sharing model for ActionPlanCreateInvocable and ActionPlansTriggerHandlers classes

* Fix XSS vulnerability

* Remove unused settings and update PMD rules to use correct Visualforce category

* Dummy update to test pr.yml on fork

* Test removing namespace

* Fix typo

* prettier fix

* Prettier apex controller

* fix PMD old flag with v7 one

Author: tprouvot

.github/workflows/ci.yml

@@ -65,4 +65,4 @@ jobs:
 
       # Run PMD scan
       - name: 'Run PMD scan'
-        run: ~/pmd/bin/pmd check -d sfdx-source/LabsActionPlans -R pmd/deployRules.xml -f text --cache .pmdCache -min 2
+        run: ~/pmd/bin/pmd check -d sfdx-source/LabsActionPlans -R pmd/deployRules.xml -f text --cache .pmdCache --minimum-priority 2

.github/workflows/pr.yml

@@ -25,8 +25,8 @@ jobs:
       - name: 'Checkout source code'
         uses: actions/checkout@v3
 
-      # Install PMD
-      - name: 'Install PMD'
+      # Install Latest PMD
+      - name: 'Install Latest PMD'
         run: |
           PMD_VERSION=$(curl -s https://api.github.com/repos/pmd/pmd/releases/latest | grep '.tag_name' | sed 's:.*/::' | sed 's:",::')
           wget https://github.com/pmd/pmd/releases/download/pmd_releases%2F$PMD_VERSION/pmd-dist-$PMD_VERSION-bin.zip
@@ -67,9 +67,9 @@ jobs:
         run: sf org login sfdx-url --sfdx-url-file ./DEVHUB_SFDX_URL.txt --alias devhub --set-default-dev-hub
 
         # Add namespace to project config
-      - name: Add namespace to project config
-        run: |
-          sed -i 's,"namespace": "","namespace": "LabsActionPlans",' sfdx-project.json
+      # - name: Add namespace to project config
+      #   run: |
+      #     sed -i 's,"namespace": "","namespace": "LabsActionPlans",' sfdx-project.json
 
       # Create scratch org
       - name: 'Create scratch org'
@@ -104,6 +104,6 @@ jobs:
         run: sf org delete scratch --no-prompt --target-org ActionPlans
 
       # Remove namespace from project config
-      - name: Remove namespace from project config
-        run: |
-          sed -i 's,"namespace": "LabsActionPlans","namespace": "",' sfdx-project.json
+      # - name: Remove namespace from project config
+      #   run: |
+      #     sed -i 's,"namespace": "LabsActionPlans","namespace": "",' sfdx-project.json

pmd/deployRules.xml

@@ -308,7 +308,7 @@
 	<!-- <rule ref="category/apex/errorprone.xml/OverrideBothEqualsAndHashcode" /> -->
 
 	<!-- VISUALFORCE RULES -->
-	<rule ref="category/vf/security.xml/VfHtmlStyleTagXss" message="Dynamic EL content within URL in style tag should be URLENCODED or JSINHTMLENCODED as appropriate">
+	<rule ref="category/visualforce/security.xml/VfHtmlStyleTagXss" message="Dynamic EL content within URL in style tag should be URLENCODED or JSINHTMLENCODED as appropriate">
 		<!--
 					<apex:page>
 				<style>
@@ -324,12 +324,13 @@
 		<priority>3</priority>
 	</rule>
 
-	<!--Example <apex:outputText value="Potential XSS is {! here }" escape="false" /> -->
-	<!-- 	<rule ref="category/vf/security.xml/VfUnescapeEl" message="Avoid unescaped user controlled content in EL as it results in XSS.">
+	<!--Example
+	<apex:outputText value="Potential XSS is {! here }" escape="false" /> -->
+	<!-- 	<rule ref="category/visualforce/security.xml/VfUnescapeEl" message="Avoid unescaped user controlled content in EL as it results in XSS.">
 		<priority>3</priority>
 	</rule> -->
 
 	<!-- Error on apex:page action usage -->
 	<!-- <apex:page controller="AcRestActionsController" action="{!csrfInitMethod}" > -->
-	<rule ref="category/vf/security.xml/VfCsrf" />
-</ruleset>
+	<rule ref="category/visualforce/security.xml/VfCsrf" />
+</ruleset>

sfdx-project.json

@@ -9,7 +9,7 @@
       "ancestorVersion": "HIGHEST",
       "releaseNotesUrl": "https://github.com/SalesforceLabs/ActionPlansV4/blob/main/README.md",
       "definitionFile": "config/install-scratch-def.json",
-      "versionDescription": "Action Plans now suppports Tasks owned by Queues and Professional Edition",
+      "versionDescription": "Action Plans now supports Tasks owned by Queues and Professional Edition",
       "postInstallScript": "ActionPlansPostInstallScript",
       "postInstallUrl": "https://salesforcelabs.github.io/ActionPlansV4/"
     },
@@ -20,7 +20,7 @@
   "name": "Action Plans",
   "namespace": "",
   "sfdcLoginUrl": "https://login.salesforce.com",
-  "sourceApiVersion": "56.0",
+  "sourceApiVersion": "65.0",
   "packageAliases": {
     "Action Plans": "0Ho5f000000oLlrCAE",
     "ActionPlans": "0Ho5f000000oLlrCAE",

sfdx-source/LabsActionPlans/main/default/classes/ActionPlanCreateInvocable.cls

@@ -14,11 +14,19 @@ SPDX-License-Identifier: BSD-3-Clause
 For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
 */
 /**
+ * Invocable class for creating Action Plans from templates.
+ *
+ * This class uses `inherited sharing` to respect the calling context's sharing rules:
+ * - When invoked from Flows/Process Builder (system context), it executes without sharing restrictions
+ * - When invoked from Apex code with sharing rules, it respects those rules
+ *
+ * This approach provides flexibility for automation while maintaining security when called from user context.
+ *
  * @group Invocable
  * @author {@link [David Schach](https://github.com/dschach)}
  * @since 2022
  */
-global without sharing class ActionPlanCreateInvocable {
+global inherited sharing class ActionPlanCreateInvocable {
 	/**
 	 * Invocable Apex for creating Action Plans from a template, a parent ID, and days from now to start the task due dates
 	 * @param requests Wrapper of `CreateActionPlanRequest`

sfdx-source/LabsActionPlans/main/default/classes/ActionPlanCreateInvocable.cls-meta.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
-    <apiVersion>62.0</apiVersion>
+    <apiVersion>65.0</apiVersion>
     <status>Active</status>
 </ApexClass>

sfdx-source/LabsActionPlans/main/default/classes/ActionPlanCreationController.cls-meta.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
-    <apiVersion>62.0</apiVersion>
+    <apiVersion>65.0</apiVersion>
     <status>Active</status>
 </ApexClass>

sfdx-source/LabsActionPlans/main/default/classes/ActionPlanDetailController.cls-meta.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
-    <apiVersion>62.0</apiVersion>
+    <apiVersion>65.0</apiVersion>
     <status>Active</status>
 </ApexClass>

sfdx-source/LabsActionPlans/main/default/classes/ActionPlanTemplateCreationController.cls-meta.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
-    <apiVersion>62.0</apiVersion>
+    <apiVersion>65.0</apiVersion>
     <status>Active</status>
 </ApexClass>

sfdx-source/LabsActionPlans/main/default/classes/ActionPlanTemplateDetailController.cls-meta.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
-    <apiVersion>62.0</apiVersion>
+    <apiVersion>65.0</apiVersion>
     <status>Active</status>
 </ApexClass>