{"id":19914,"date":"2026-06-29T14:12:21","date_gmt":"2026-06-29T12:12:21","guid":{"rendered":"https:\/\/www.salvis.com\/blog\/?p=19914"},"modified":"2026-06-29T18:31:53","modified_gmt":"2026-06-29T16:31:53","slug":"detecting-security-vulnerabilities-with-the-apexlang-parser","status":"publish","type":"post","link":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/","title":{"rendered":"Detecting Security Vulnerabilities With the APEXlang Parser"},"content":{"rendered":"\n<h2 id=\"introduction\" class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A parser for the APEXlang grammar enables the development of tools beyond the scope of the APEXlang compiler included in SQLcl, SQL Developer for VS Code, and ORDS. These tools can perform static code analysis, convert code, generate documentation, and visualise different aspects of an APEX application.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A linter, for example, can check whether an APEXlang file conforms to defined quality standards. These standards may cover project- or company-specific conventions as well as more general concerns, such as detecting potential security vulnerabilities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this blog post, I explain the elements of an APEXlang file that are the basis of Grisselbav&#8217;s <a href=\"https:\/\/github.com\/Grisselbav\/APEXlang-Parser\" type=\"link\" id=\"https:\/\/github.com\/Grisselbav\/APEXlang-Parser\" target=\"_blank\" rel=\"noreferrer noopener\">APEXlang parser<\/a>. Then I demonstrate how to use the parser in a simple Java program to detect a security vulnerability.<\/p>\n\n\n\n<h2 id=\"elements-of-an-apexlang-file\" class=\"wp-block-heading\">Elements of an APEXlang File<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">An APEXlang file consists of three basic building blocks: components, properties, and groups. These elements can also be nested, as shown later.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s an excerpt of Oracle&#8217;s Universal Theme demo application.apx file:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">1) Excerpt of UT&#8217;s application.apx<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>app UT (\n    name: Universal Theme 26.1 Reference\n    version: 26.1.0\n    group: @universal-theme\n    logo {\n        type: text\n        text: Universal Theme\n    }\n    \/\/ ...removed code...\n)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">app<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">UT<\/span><span style=\"color: #D4D4D4\"> (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    name: <\/span><span style=\"color: #569CD6\">Universal<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">Theme<\/span><span style=\"color: #D4D4D4\"> 26.1 Reference<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    version: 26.1.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    group: @universal-theme<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    logo {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        type: text<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        text: <\/span><span style=\"color: #569CD6\">Universal<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">Theme<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #6A9955\">\/\/ ...removed code...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h5 id=\"component\" class=\"wp-block-heading\">Component<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">There is one component in this example. It starts on line 1 and ends on line 10. <code>app<\/code> is the type of the component and <code>UT<\/code> the component name.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A component body starts with a left parenthesis <code>(<\/code> and ends with a right parenthesis <code>)<\/code>.<\/p>\n\n\n\n<h5 id=\"property\" class=\"wp-block-heading\">Property<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">In this example, we have 5 properties. The property keys are <code>name<\/code>, <code>version<\/code>, <code>group<\/code>, <code>type<\/code> and <code>text<\/code>. The value of a property follows a colon <code>:<\/code>. For <code>name<\/code> The value is <code>Universal Theme 26.1 Reference<\/code>, for <code>version<\/code> the value is <code>26.1.0<\/code> and so on.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Please note that a property starts on a new line, and the property value starts after the colon and ends on a new line. This way, no delimiter characters are required for most property values. However, if leading or trailing spaces are significant, you have to pass the property value as a single-line string, which is enclosed in double quotes.<\/p>\n\n\n\n<h5 id=\"group\" class=\"wp-block-heading\">Group (of properties)<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">The properties <code>type<\/code> and <code>text<\/code> are part of a group named <code>logo<\/code>.  The group in this example covers lines 5 to 8.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A group body starts with an open curly bracket <code>{<\/code> and ends with a close curly bracket <code>}<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Properties which are not part of a group are called direct properties. This means they are defined directly in a component. Examples of direct properties are <code>name<\/code>, <code>version<\/code> and <code>group<\/code>.<\/p>\n\n\n\n<h2 id=\"nesed-elements\" class=\"wp-block-heading\">Nested Elements<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We have seen that a component may contain properties and groups. But it is also possible to nest elements.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Components may contain other components besides properties and groups<\/li>\n\n\n\n<li>Property values may contain groups besides simple values<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">There is no limit to the number of levels for nested elements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s an example:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">2) Nested Component and Group<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>app UT (\n    \/\/ ...removed code...\n    pwaShortcut getting-started (\n        name: Getting Started\n        sequence: 10\n        shortcut {\n            target: {\n                page: 500\n            }\n            description: Getting Started Page - Initial Page\n        }\n        comments {\n            comments: -\n        }\n    )\n   \/\/ ...removed code...\n)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">app<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">UT<\/span><span style=\"color: #D4D4D4\"> (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #6A9955\">\/\/ ...removed code...<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">pwaShortcut<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">getting<\/span><span style=\"color: #D4D4D4\">-started (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        name: <\/span><span style=\"color: #569CD6\">Getting<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">Started<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        sequence: 10<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        shortcut {<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">            target: {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                page: 500<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            description: <\/span><span style=\"color: #569CD6\">Getting<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">Started<\/span><span style=\"color: #D4D4D4\"> Page - <\/span><span style=\"color: #569CD6\">Initial<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">Page<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        comments {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            comments: -<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    )<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">   <\/span><span style=\"color: #6A9955\">\/\/ ...removed code...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">A nested component starts on line 3 and a nested group on line 7.<\/p>\n\n\n\n<h2 id=\"apexlang-grammar\" class=\"wp-block-heading\">APEXlang Grammar<\/h2>\n\n\n\n<figure class=\"wp-block-image size-medium\"><a href=\"https:\/\/grisselbav.github.io\/APEXlang-Parser\/grammar.html\" target=\"_blank\" rel=\" noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"133\" src=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile-300x133.png\" alt=\"apxFile rule of APEXlang grammar\" class=\"wp-image-19988\" srcset=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile-300x133.png 300w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile-1024x453.png 1024w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile-768x340.png 768w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile-150x66.png 150w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile-480x212.png 480w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-apxFile.png 1456w\" sizes=\"auto, (max-width:767px) 300px, 300px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">While the grammar documented in <a href=\"https:\/\/docs.oracle.com\/en\/database\/oracle\/apex\/26.1\/apxln\/apexlang.ebnf\" target=\"_blank\" rel=\"noreferrer noopener\">apexlang. ebnf<\/a> of the <a href=\"https:\/\/docs.oracle.com\/en\/database\/oracle\/apex\/26.1\/apxln\/\" target=\"_blank\" rel=\"noreferrer noopener\">API Reference<\/a> defines both the language structure and the valid APEXlang elements, the grammar used by Grisselbav&#8217;s APEXlang parser is limited to structural concerns. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because the parser focuses solely on syntax rather than semantic validation, the grammar remains remarkably compact.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Click on the image above to view all the syntax diagrams. Alternatively, view the ANTLR4 source files, <a href=\"https:\/\/github.com\/Grisselbav\/APEXlang-Parser\/blob\/v0.2.0\/src\/main\/antlr4\/com\/grisselbav\/apexlang\/grammar\/ApexLangLexer.g4\" target=\"_blank\" rel=\"noreferrer noopener\">ApexLangLexer.g4<\/a> and <a href=\"https:\/\/github.com\/Grisselbav\/APEXlang-Parser\/blob\/v0.2.0\/src\/main\/antlr4\/com\/grisselbav\/apexlang\/grammar\/ApexLangParser.g4\" target=\"_blank\" rel=\"noreferrer noopener\">ApexLangParser.g4<\/a>, which were used to generate the parser available on <a href=\"https:\/\/central.sonatype.com\/artifact\/com.grisselbav\/apexlang-parser\" target=\"_blank\" rel=\"noreferrer noopener\">Maven Central<\/a>.<\/p>\n\n\n\n<h2 id=\"apex-sert\" class=\"wp-block-heading\">APEX-SERT<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">APEX-SERT is an APEX application that scans a selected APEX application for security vulnerabilities. A vulnerability is detected by querying APEX dictionary views. All rules are defined in the <a href=\"https:\/\/github.com\/oracle-samples\/apex-sert\/blob\/v24.2.27.1\/product\/sert\/sert_core\/json_data\/APEX-SERT%20Rules.json#L978-L1014\" type=\"link\" id=\"https:\/\/github.com\/oracle-samples\/apex-sert\/blob\/v24.2.27.1\/product\/sert\/sert_core\/json_data\/APEX-SERT%20Rules.json#L978-L1014\" target=\"_blank\" rel=\"noreferrer noopener\">APEX-SERT Rules.json<\/a> file. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To demonstrate a practical use case, let\u2019s look at the security check &#8220;Embed in Frames&#8221; implemented by APEX-SERT.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When the property &#8220;Embed in Frames&#8221; is set to <code>Allow<\/code>, the application may be vulnerable to &#8220;clickjacking&#8221; attacks as explained in the help text of the page designer. See screenshot below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"698\" src=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-1024x698.png\" alt=\"\" class=\"wp-image-20001\" srcset=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-1024x698.png 1024w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-300x205.png 300w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-768x524.png 768w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-1536x1047.png 1536w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-2048x1396.png 2048w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-110x75.png 110w, https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/embed-in-frames-allow-480x327.png 480w\" sizes=\"auto, (max-width:767px) 480px, (max-width:1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I changed the original value from <code>Allow from same origin<\/code> to <code>Allow<\/code> to simulate a security vulnerability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">APEX-SERT runs a query similar to the following to find violations of this rule:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">3) Find Violations with SQL<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>select application_id, application_name, browser_frame \n  from apex_applications\n where browser_frame not in ('Deny', 'Allow from same origin');<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #569CD6\">select<\/span><span style=\"color: #D4D4D4\"> application_id, application_name, browser_frame <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  <\/span><span style=\"color: #569CD6\">from<\/span><span style=\"color: #D4D4D4\"> apex_applications<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">where<\/span><span style=\"color: #D4D4D4\"> browser_frame <\/span><span style=\"color: #569CD6\">not<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">in<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #CE9178\">&#39;Deny&#39;<\/span><span style=\"color: #D4D4D4\">, <\/span><span style=\"color: #CE9178\">&#39;Allow from same origin&#39;<\/span><span style=\"color: #D4D4D4\">);<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>APPLICATION_ID APPLICATION_NAME               BROWSER_FRAME\n-------------- ------------------------------ -------------\n        101252 Universal Theme 26.1 Reference Allow<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">APPLICATION_ID APPLICATION_NAME               BROWSER_FRAME<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">-------------- ------------------------------ -------------<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        101252 Universal Theme 26.1 Reference Allow<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">So, the value of <code>Embed in Frames<\/code> is provided in the <code>browser_frame<\/code> column of the APEX dictionary view <code>apex_applications<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But where can we find this information in the APEXlang files?<\/p>\n\n\n\n<h2 id=\"link-page-designer-property-to-apexlang\" class=\"wp-block-heading\">Link Page Designer Property to APEXlang<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We find the &#8220;Embed in Frames&#8221; property in the page designer by navigating to &#8220;Shared Components&#8221; -&gt; &#8220;Application Definition&#8221; -&gt; &#8220;Security&#8221; -&gt; &#8220;Browser Security&#8221;. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to the <a href=\"https:\/\/docs.oracle.com\/en\/database\/oracle\/apex\/26.1\/apxln\/apexlang.ebnf\" target=\"_blank\" rel=\"noreferrer noopener\">apexlang. ebnf<\/a> there is a <code>security<\/code> group within the <code>app<\/code> component. Here&#8217;s the relevant excerpt:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-start:347;--cbp-line-number-width:calc(3 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">3) Property embedInFrames within apexlang.ebnf<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;app-security> ::= &lt;indent> \"security\" &lt;ws> \"{\" &lt;line-end> { &lt;app-security-property-line> } &lt;indent> \"}\" &lt;line-end>\n&lt;app-security-property-line> ::= &lt;indent> &lt;app-security-property> &lt;line-end>\n&lt;app-security-property> ::= \"deepLinking\" \":\" &lt;ws> ( \"true\" | \"false\" ) (* required; type: SELECT LIST *)\n  | \"enableDictation\" \":\" &lt;ws> &lt;boolean> (* required; type: YES NO *)\n  | \"browserCache\" \":\" &lt;ws> ( \"true\" | \"false\" ) (* required; type: SELECT LIST *)\n  | \"embedInFrames\" \":\" &lt;ws> ( \"deny\" | \"allowSameOrigin\" | \"allow\" ) (* required; type: SELECT LIST *)\n  | \"referrerPolicy\" \":\" &lt;ws> ( \"noReferrer\" | \"noReferrerWhenDowngrade\" | \"origin\" | \"originWhenCrossOrigin\" | \"sameOrigin\" | \"strictOrigin\" | \"strictOriginWhenCrossOrigin\" | \"unsafeUrl\" ) (* required; type: SELECT LIST *)\n  | \"htmlEscapingMode\" \":\" &lt;ws> ( \"basic\" | \"extended\" ) (* required; type: SELECT LIST *)\n  | \"httpResponseHeaders\" \":\" &lt;ws> &lt;multiline-string> (* type: TEXT EDITOR *)\n  | \"runtimeApiUsage\" \":\" &lt;ws> &lt;array-of-string-like-value> (* type: CHECKBOXES *)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">&lt;app-security&gt; ::= &lt;indent&gt; &quot;security&quot; &lt;ws&gt; &quot;<\/span><span style=\"color: #6A9955\">{&quot; &lt;line-end&gt; { &lt;app-security-property-line&gt; }<\/span><span style=\"color: #D4D4D4\"> &lt;indent&gt; &quot;}&quot; &lt;line-<\/span><span style=\"color: #569CD6\">end<\/span><span style=\"color: #D4D4D4\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">&lt;app-security-property-line&gt; ::= &lt;indent&gt; &lt;app-security-property&gt; &lt;line-<\/span><span style=\"color: #569CD6\">end<\/span><span style=\"color: #D4D4D4\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">&lt;app-security-property&gt; ::= &quot;deepLinking&quot; &quot;:&quot; &lt;ws&gt; ( &quot;<\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">&quot; | &quot;<\/span><span style=\"color: #569CD6\">false<\/span><span style=\"color: #D4D4D4\">&quot; ) <\/span><span style=\"color: #6A9955\">(* required; type: SELECT LIST *)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  | &quot;enableDictation&quot; &quot;:&quot; &lt;ws&gt; &lt;<\/span><span style=\"color: #569CD6\">boolean<\/span><span style=\"color: #D4D4D4\">&gt; <\/span><span style=\"color: #6A9955\">(* required; type: YES NO *)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  | &quot;browserCache&quot; &quot;:&quot; &lt;ws&gt; ( &quot;<\/span><span style=\"color: #569CD6\">true<\/span><span style=\"color: #D4D4D4\">&quot; | &quot;<\/span><span style=\"color: #569CD6\">false<\/span><span style=\"color: #D4D4D4\">&quot; ) <\/span><span style=\"color: #6A9955\">(* required; type: SELECT LIST *)<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">  | &quot;embedInFrames&quot; &quot;:&quot; &lt;ws&gt; ( &quot;deny&quot; | &quot;allowSameOrigin&quot; | &quot;allow&quot; ) <\/span><span style=\"color: #6A9955\">(* required; type: SELECT LIST *)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  | &quot;referrerPolicy&quot; &quot;:&quot; &lt;ws&gt; ( &quot;noReferrer&quot; | &quot;noReferrerWhenDowngrade&quot; | &quot;origin&quot; | &quot;originWhenCrossOrigin&quot; | &quot;sameOrigin&quot; | &quot;strictOrigin&quot; | &quot;strictOriginWhenCrossOrigin&quot; | &quot;unsafeUrl&quot; ) <\/span><span style=\"color: #6A9955\">(* required; type: SELECT LIST *)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  | &quot;htmlEscapingMode&quot; &quot;:&quot; &lt;ws&gt; ( &quot;basic&quot; | &quot;<\/span><span style=\"color: #569CD6\">extended<\/span><span style=\"color: #D4D4D4\">&quot; ) <\/span><span style=\"color: #6A9955\">(* required; type: SELECT LIST *)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  | &quot;httpResponseHeaders&quot; &quot;:&quot; &lt;ws&gt; &lt;multiline-<\/span><span style=\"color: #569CD6\">string<\/span><span style=\"color: #D4D4D4\">&gt; <\/span><span style=\"color: #6A9955\">(* type: TEXT EDITOR *)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">  | &quot;runtimeApiUsage&quot; &quot;:&quot; &lt;ws&gt; &lt;<\/span><span style=\"color: #569CD6\">array<\/span><span style=\"color: #D4D4D4\">-<\/span><span style=\"color: #569CD6\">of<\/span><span style=\"color: #D4D4D4\">-<\/span><span style=\"color: #569CD6\">string<\/span><span style=\"color: #D4D4D4\">-like-value&gt; <\/span><span style=\"color: #6A9955\">(* type: CHECKBOXES *)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">We find on line 352 the definition of the property <code>embedInFrames<\/code> with a list of valid values. In this case, the property key is unique. This means that no other component or group uses the property key <code>embedInFrames<\/code>. Therefore, we can search the folder containing the .apx files for the string <code>embedInFrames:<\/code> to find the position of this property. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The matching property is located in the <span style=\"background-color: initial; font-family: inherit; font-size: inherit; text-align: initial;\"><code>application.apx<\/code> file.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s an excerpt.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-start:46;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">4) Property embedInFrames in application.apx<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>    authorization {\n        runOnPublicPages: true\n    }\n    security {\n        deepLinking: true\n        embedInFrames: allow\n        runtimeApiUsage: modifyThisApp\n    }\n    sessionStateProtection {\n        allowUrlsCreatedAfter: 1999-08-04T00:00:00\n        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365\n    }<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #9CDCFE\">authorization<\/span><span style=\"color: #D4D4D4\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">runOnPublicPages<\/span><span style=\"color: #D4D4D4\">: <\/span><span style=\"color: #569CD6\">true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #9CDCFE\">security<\/span><span style=\"color: #D4D4D4\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">deepLinking<\/span><span style=\"color: #D4D4D4\">: <\/span><span style=\"color: #569CD6\">true<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">embedInFrames<\/span><span style=\"color: #D4D4D4\">: <\/span><span style=\"color: #9CDCFE\">allow<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">runtimeApiUsage<\/span><span style=\"color: #D4D4D4\">: <\/span><span style=\"color: #9CDCFE\">modifyThisApp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #9CDCFE\">sessionStateProtection<\/span><span style=\"color: #D4D4D4\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">allowUrlsCreatedAfter<\/span><span style=\"color: #D4D4D4\">: <\/span><span style=\"color: #B5CEA8\">1999-08-04T00:00:00<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #9CDCFE\">checksumSalt<\/span><span style=\"color: #D4D4D4\">: 75<\/span><span style=\"color: #9CDCFE\">BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Please note that properties with default values are skipped when an APEX application is exported. Therefore, we would not see the <code>embedInFrames<\/code> property if its value were <code>Deny<\/code>.<\/p>\n\n\n\n<h2 id=\"find-vulnerability-with-apexlang-parser\" class=\"wp-block-heading\">Find Vulnerability With APEXlang Parser<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We now have all the information we need. We can write a small demo program. This program will find this vulnerability in an APEXlang file.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The parser exposes the parse tree through ANTLR4-generated context classes. Each parser rule becomes a context class. For example, the class <code>ApexLangParser.PropertyContext<\/code> represents the <a href=\"https:\/\/github.com\/Grisselbav\/APEXlang-Parser\/blob\/v0.2.0\/src\/main\/antlr4\/com\/grisselbav\/apexlang\/grammar\/ApexLangParser.g4#L66-L68\" target=\"_blank\" rel=\"noreferrer noopener\">property<\/a> parser rule. This makes it easy to traverse the <code>ApexLangDocument<\/code> using Java streams.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">5) DemoFindVulnerability.java<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/DEPS com.grisselbav:apexlang-parser:0.2.0\n\nimport com.grisselbav.apexlang.grammar.*;\n\nclass DemoFindVulnerability {\n    public static void main(String[] args) {\n        var apxSource = \"\"\"\n                app UT (\n                    name: Universal Theme 26.1 Reference\n                    version: 26.1.0\n                    \/\/ ... removed code ...\n                    authorization {\n                        runOnPublicPages: true\n                    }\n                    security {\n                        deepLinking: true\n                        embedInFrames: allow\n                        runtimeApiUsage: modifyThisApp\n                    }\n                    sessionStateProtection {\n                        allowUrlsCreatedAfter: 1999-08-04T00:00:00\n                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365\n                    }\n                    \/\/ ... removed code ...\n                )\n                \"\"\";\n        var doc = ApexLangDocument.parse(apxSource);\n        var violations = doc.getAllContentsOfType(ApexLangParser.PropertyContext.class)\n                .stream()\n                .filter(p -> p.name.getText().equals(\"embedInFrames\")\n                        &amp;&amp; p.value().getText().equals(\"allow\"))\n                .toList();\n        for (var violation : violations) {\n            System.err.println(\"Found vulnerability: \" + violation.getText());\n        }\n    }\n}<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6A9955\">\/\/DEPS com.grisselbav:apexlang-parser:0.2.0<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #569CD6\">import<\/span><span style=\"color: #D4D4D4\"> com.grisselbav.apexlang.grammar.*;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #569CD6\">class<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">DemoFindVulnerability<\/span><span style=\"color: #D4D4D4\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">public<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">static<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">void<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">main<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #4EC9B0\">String<\/span><span style=\"color: #D4D4D4\">[] <\/span><span style=\"color: #9CDCFE\">args<\/span><span style=\"color: #D4D4D4\">) {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">apxSource<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #CE9178\">&quot;&quot;&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                app UT (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    name: Universal Theme 26.1 Reference<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    version: 26.1.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    \/\/ ... removed code ...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    authorization {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        runOnPublicPages: true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    security {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        deepLinking: true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        embedInFrames: allow<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        runtimeApiUsage: modifyThisApp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    sessionStateProtection {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        allowUrlsCreatedAfter: 1999-08-04T00:00:00<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    \/\/ ... removed code ...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                )<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                &quot;&quot;&quot;<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">doc<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #9CDCFE\">ApexLangDocument<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">parse<\/span><span style=\"color: #D4D4D4\">(apxSource);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">violations<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #9CDCFE\">doc<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getAllContentsOfType<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #9CDCFE\">ApexLangParser<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">PropertyContext<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">class<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                .<\/span><span style=\"color: #DCDCAA\">stream<\/span><span style=\"color: #D4D4D4\">()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                .<\/span><span style=\"color: #DCDCAA\">filter<\/span><span style=\"color: #D4D4D4\">(p <\/span><span style=\"color: #569CD6\">-&gt;<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">p<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">name<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">equals<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;embedInFrames&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                        &amp;&amp; <\/span><span style=\"color: #9CDCFE\">p<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">value<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">equals<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;allow&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                .<\/span><span style=\"color: #DCDCAA\">toList<\/span><span style=\"color: #D4D4D4\">();<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">violation<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #C586C0\">:<\/span><span style=\"color: #D4D4D4\"> violations) {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #9CDCFE\">System<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">err<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">println<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;Found vulnerability: &quot;<\/span><span style=\"color: #D4D4D4\"> + <\/span><span style=\"color: #9CDCFE\">violation<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">());<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This program embeds the APEXlang source code to scan in the <code>apxSource<\/code> variable. To run the program, save it as <code>DemoFindVulnerability.java<\/code>, then run it with <a href=\"https:\/\/www.jbang.dev\/\" type=\"link\" id=\"https:\/\/www.jbang.dev\/\" target=\"_blank\" rel=\"noreferrer noopener\">JBang<\/a>. This will automatically resolve the Maven dependency on the first line.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>jbang DemoFindVulnerability.java<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #DCDCAA\">jbang<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #CE9178\">DemoFindVulnerability.java<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&#91;jbang&#93; Resolving dependencies...\n&#91;jbang&#93;    com.grisselbav:apexlang-parser:0.2.0\n&#91;jbang&#93; Dependencies resolved\n&#91;jbang&#93; Building jar for DemoFindVulnerability.java...\nFound vulnerability: \n        embedInFrames: allow<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D4D4D4\">&#91;jbang&#93; Resolving dependencies...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">&#91;jbang&#93;    com.grisselbav:apexlang-parser:0.2.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">&#91;jbang&#93; Dependencies resolved<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">&#91;jbang&#93; Building jar for DemoFindVulnerability.java...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">Found vulnerability: <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        embedInFrames: allow<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h2 id=\"are-regular-expressions-an-alternative\" class=\"wp-block-heading\">Are Regular Expressions An Alternative?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In this case, we could have used a regular expression to identify the violation. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, as soon as the rules become more complicated, e.g. if we want to ensure that the property is part of the <code>security<\/code> group and the <code>security<\/code> group is part of the <code>app<\/code> component, regular expressions are no longer suited. But a parser is. Because we can navigate the parse tree and adjust the filter settings as follows.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7\">6) DemoFindVulnerability2.java with extended filter<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#D4D4D4;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/DEPS com.grisselbav:apexlang-parser:0.2.0\n\nimport com.grisselbav.apexlang.grammar.*;\n\nclass DemoFindVulnerability2 {\n    public static void main(String[] args) {\n        var apxSource = \"\"\"\n                app UT (\n                    name: Universal Theme 26.1 Reference\n                    version: 26.1.0\n                    \/\/ ... removed code ...\n                    authorization {\n                        runOnPublicPages: true\n                    }\n                    security {\n                        deepLinking: true\n                        embedInFrames: allow\n                        runtimeApiUsage: modifyThisApp\n                    }\n                    sessionStateProtection {\n                        allowUrlsCreatedAfter: 1999-08-04T00:00:00\n                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365\n                    }\n                    \/\/ ... removed code ...\n                )\n                \"\"\";\n        var doc = ApexLangDocument.parse(apxSource);\n        var violations = doc.getAllContentsOfType(ApexLangParser.PropertyContext.class)\n                .stream()\n                .filter(p -> p.name.getText().equals(\"embedInFrames\")\n                        &amp;&amp; p.value().getText().equals(\"allow\")\n                        &amp;&amp; p.parent.parent instanceof ApexLangParser.GroupContext g\n                        &amp;&amp; g.name.getText().equals(\"security\")\n                        &amp;&amp; g.parent.parent.parent instanceof ApexLangParser.ComponentContext c\n                        &amp;&amp; c.type.getText().equals(\"app\"))\n                .toList();\n        for (var violation : violations) {\n            System.err.println(\"Found vulnerability: \" + violation.getText());\n        }\n    }\n}<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dark-plus\" style=\"background-color: #1E1E1E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6A9955\">\/\/DEPS com.grisselbav:apexlang-parser:0.2.0<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #569CD6\">import<\/span><span style=\"color: #D4D4D4\"> com.grisselbav.apexlang.grammar.*;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #569CD6\">class<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">DemoFindVulnerability2<\/span><span style=\"color: #D4D4D4\"> {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    <\/span><span style=\"color: #569CD6\">public<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">static<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #4EC9B0\">void<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #DCDCAA\">main<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #4EC9B0\">String<\/span><span style=\"color: #D4D4D4\">[] <\/span><span style=\"color: #9CDCFE\">args<\/span><span style=\"color: #D4D4D4\">) {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">apxSource<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #CE9178\">&quot;&quot;&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                app UT (<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    name: Universal Theme 26.1 Reference<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    version: 26.1.0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    \/\/ ... removed code ...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    authorization {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        runOnPublicPages: true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    security {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        deepLinking: true<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        embedInFrames: allow<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        runtimeApiUsage: modifyThisApp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    sessionStateProtection {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        allowUrlsCreatedAfter: 1999-08-04T00:00:00<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                    \/\/ ... removed code ...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                )<\/span><\/span>\n<span class=\"line\"><span style=\"color: #CE9178\">                &quot;&quot;&quot;<\/span><span style=\"color: #D4D4D4\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">doc<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #9CDCFE\">ApexLangDocument<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">parse<\/span><span style=\"color: #D4D4D4\">(apxSource);<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">violations<\/span><span style=\"color: #D4D4D4\"> = <\/span><span style=\"color: #9CDCFE\">doc<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getAllContentsOfType<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #9CDCFE\">ApexLangParser<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">PropertyContext<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">class<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                .<\/span><span style=\"color: #DCDCAA\">stream<\/span><span style=\"color: #D4D4D4\">()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                .<\/span><span style=\"color: #DCDCAA\">filter<\/span><span style=\"color: #D4D4D4\">(p <\/span><span style=\"color: #569CD6\">-&gt;<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">p<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">name<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">equals<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;embedInFrames&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">                        &amp;&amp; <\/span><span style=\"color: #9CDCFE\">p<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">value<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">equals<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;allow&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">                        &amp;&amp; <\/span><span style=\"color: #9CDCFE\">p<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">parent<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">parent<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">instanceof<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">ApexLangParser<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">GroupContext<\/span><span style=\"color: #D4D4D4\"> g<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">                        &amp;&amp; <\/span><span style=\"color: #9CDCFE\">g<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">name<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">equals<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;security&quot;<\/span><span style=\"color: #D4D4D4\">)<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">                        &amp;&amp; <\/span><span style=\"color: #9CDCFE\">g<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">parent<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">parent<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">parent<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #569CD6\">instanceof<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">ApexLangParser<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">ComponentContext<\/span><span style=\"color: #D4D4D4\"> c<\/span><\/span>\n<span class=\"line cbp-line-highlight\"><span style=\"color: #D4D4D4\">                        &amp;&amp; <\/span><span style=\"color: #9CDCFE\">c<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">type<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">().<\/span><span style=\"color: #DCDCAA\">equals<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;app&quot;<\/span><span style=\"color: #D4D4D4\">))<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">                .<\/span><span style=\"color: #DCDCAA\">toList<\/span><span style=\"color: #D4D4D4\">();<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        <\/span><span style=\"color: #C586C0\">for<\/span><span style=\"color: #D4D4D4\"> (<\/span><span style=\"color: #569CD6\">var<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #9CDCFE\">violation<\/span><span style=\"color: #D4D4D4\"> <\/span><span style=\"color: #C586C0\">:<\/span><span style=\"color: #D4D4D4\"> violations) {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">            <\/span><span style=\"color: #9CDCFE\">System<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #9CDCFE\">err<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">println<\/span><span style=\"color: #D4D4D4\">(<\/span><span style=\"color: #CE9178\">&quot;Found vulnerability: &quot;<\/span><span style=\"color: #D4D4D4\"> + <\/span><span style=\"color: #9CDCFE\">violation<\/span><span style=\"color: #D4D4D4\">.<\/span><span style=\"color: #DCDCAA\">getText<\/span><span style=\"color: #D4D4D4\">());<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">        }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">    }<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D4D4D4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h2 id=\"integration-into-dblinter\" class=\"wp-block-heading\">Integration Into dbLinter<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The APEX-SERT &#8220;Embed in Frames&#8221; rule has been added to the dbLinter repository as rule <a href=\"https:\/\/dblinter.app\/ords\/r\/dblinter\/dblinter-console\/rules#P1000_SHOW_RULE=core%20a-1010\" target=\"_blank\" rel=\"noreferrer noopener\">G-1010: Never allow application pages within an HTML frame<\/a>. The VS Code extension, the CLI and the SonarQube plugin now support checks implemented for APEXlang. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s a short silent video that demonstrates how this security vulnerability is detected and quickly fixed.<\/p>\n\n\n\n<figure class=\"wp-block-video\"><video height=\"720\" style=\"aspect-ratio: 1280 \/ 720;\" width=\"1280\" controls src=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/dblinter-a1010.mp4\"><\/video><\/figure>\n\n\n\n<h2 id=\"conclusion\" class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The APEXlang grammar is intentionally simple through focusing on structural elements, leaving semantic validation, such as valid property values, to the APEXlang compiler in SQLcl, SQL Developer and VS Code.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Integrating the APEXlang parser into dbLinter was straightforward, as was implementing the first APEXlang-based dbLinter rule.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The next step is to identify which additional rules would be beneficial to bring to dbLinter. If you have any suggestions, please let me know. Even better, open a GitHub issue in the <a href=\"https:\/\/github.com\/Grisselbav\/dbLinter\" target=\"_blank\" rel=\"noreferrer noopener\">dbLinter GitHub repository<\/a>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thank you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction A parser for the APEXlang grammar enables the development of tools beyond the scope of the APEXlang compiler included in SQLcl, SQL Developer for VS Code, and ORDS. These tools can perform static code analysis, convert code, generate documentation, and visualise different aspects of an APEX application. A linter, for example,<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":20076,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[154,86],"class_list":["post-19914","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oracle","tag-apexlang","tag-code-analysis"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Detecting Security Vulnerabilities With the APEXlang Parser - Philipp Salvisberg&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting Security Vulnerabilities With the APEXlang Parser - Philipp Salvisberg&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"Introduction A parser for the APEXlang grammar enables the development of tools beyond the scope of the APEXlang compiler included in SQLcl, SQL Developer for VS Code, and ORDS. These tools can perform static code analysis, convert code, generate documentation, and visualise different aspects of an APEX application. A linter, for example, [\u2026]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/\" \/>\n<meta property=\"og:site_name\" content=\"Philipp Salvisberg&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-29T12:12:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-29T16:31:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-Parser.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1731\" \/>\n\t<meta property=\"og:image:height\" content=\"909\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Philipp Salvisberg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@phsalvisberg\" \/>\n<meta name=\"twitter:site\" content=\"@phsalvisberg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Philipp Salvisberg\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/\"},\"author\":{\"name\":\"Philipp Salvisberg\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/#\\\/schema\\\/person\\\/34352245c48678b1a5a05d4bc1339515\"},\"headline\":\"Detecting Security Vulnerabilities With the APEXlang Parser\",\"datePublished\":\"2026-06-29T12:12:21+00:00\",\"dateModified\":\"2026-06-29T16:31:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/\"},\"wordCount\":1144,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/#\\\/schema\\\/person\\\/34352245c48678b1a5a05d4bc1339515\"},\"image\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/APEXlang-Parser.png\",\"keywords\":[\"APEXlang\",\"Code Analysis\"],\"articleSection\":[\"Oracle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/\",\"url\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/\",\"name\":\"Detecting Security Vulnerabilities With the APEXlang Parser - Philipp Salvisberg&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/APEXlang-Parser.png\",\"datePublished\":\"2026-06-29T12:12:21+00:00\",\"dateModified\":\"2026-06-29T16:31:53+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/APEXlang-Parser.png\",\"contentUrl\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/APEXlang-Parser.png\",\"width\":1731,\"height\":909},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/2026\\\/06\\\/29\\\/detecting-security-vulnerabilities-with-the-apexlang-parser\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detecting Security Vulnerabilities With the APEXlang Parser\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/\",\"name\":\"Philipp Salvisberg&#039;s Blog\",\"description\":\"Database-centric development\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/#\\\/schema\\\/person\\\/34352245c48678b1a5a05d4bc1339515\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/#\\\/schema\\\/person\\\/34352245c48678b1a5a05d4bc1339515\",\"name\":\"Philipp Salvisberg\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/11\\\/phs_trivadis4.jpg\",\"url\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/11\\\/phs_trivadis4.jpg\",\"contentUrl\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/11\\\/phs_trivadis4.jpg\",\"width\":400,\"height\":400,\"caption\":\"Philipp Salvisberg\"},\"logo\":{\"@id\":\"https:\\\/\\\/www.salvis.com\\\/blog\\\/wp-content\\\/uploads\\\/2010\\\/11\\\/phs_trivadis4.jpg\"},\"sameAs\":[\"http:\\\/\\\/www.salvis.com\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting Security Vulnerabilities With the APEXlang Parser - Philipp Salvisberg&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/","og_locale":"en_US","og_type":"article","og_title":"Detecting Security Vulnerabilities With the APEXlang Parser - Philipp Salvisberg&#039;s Blog","og_description":"Introduction A parser for the APEXlang grammar enables the development of tools beyond the scope of the APEXlang compiler included in SQLcl, SQL Developer for VS Code, and ORDS. These tools can perform static code analysis, convert code, generate documentation, and visualise different aspects of an APEX application. A linter, for example, [\u2026]","og_url":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/","og_site_name":"Philipp Salvisberg&#039;s Blog","article_published_time":"2026-06-29T12:12:21+00:00","article_modified_time":"2026-06-29T16:31:53+00:00","og_image":[{"width":1731,"height":909,"url":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-Parser.png","type":"image\/png"}],"author":"Philipp Salvisberg","twitter_card":"summary_large_image","twitter_creator":"@phsalvisberg","twitter_site":"@phsalvisberg","twitter_misc":{"Written by":"Philipp Salvisberg","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#article","isPartOf":{"@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/"},"author":{"name":"Philipp Salvisberg","@id":"https:\/\/www.salvis.com\/blog\/#\/schema\/person\/34352245c48678b1a5a05d4bc1339515"},"headline":"Detecting Security Vulnerabilities With the APEXlang Parser","datePublished":"2026-06-29T12:12:21+00:00","dateModified":"2026-06-29T16:31:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/"},"wordCount":1144,"commentCount":0,"publisher":{"@id":"https:\/\/www.salvis.com\/blog\/#\/schema\/person\/34352245c48678b1a5a05d4bc1339515"},"image":{"@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#primaryimage"},"thumbnailUrl":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-Parser.png","keywords":["APEXlang","Code Analysis"],"articleSection":["Oracle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/","url":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/","name":"Detecting Security Vulnerabilities With the APEXlang Parser - Philipp Salvisberg&#039;s Blog","isPartOf":{"@id":"https:\/\/www.salvis.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#primaryimage"},"image":{"@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#primaryimage"},"thumbnailUrl":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-Parser.png","datePublished":"2026-06-29T12:12:21+00:00","dateModified":"2026-06-29T16:31:53+00:00","breadcrumb":{"@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#primaryimage","url":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-Parser.png","contentUrl":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2026\/06\/APEXlang-Parser.png","width":1731,"height":909},{"@type":"BreadcrumbList","@id":"https:\/\/www.salvis.com\/blog\/2026\/06\/29\/detecting-security-vulnerabilities-with-the-apexlang-parser\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.salvis.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Detecting Security Vulnerabilities With the APEXlang Parser"}]},{"@type":"WebSite","@id":"https:\/\/www.salvis.com\/blog\/#website","url":"https:\/\/www.salvis.com\/blog\/","name":"Philipp Salvisberg&#039;s Blog","description":"Database-centric development","publisher":{"@id":"https:\/\/www.salvis.com\/blog\/#\/schema\/person\/34352245c48678b1a5a05d4bc1339515"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.salvis.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.salvis.com\/blog\/#\/schema\/person\/34352245c48678b1a5a05d4bc1339515","name":"Philipp Salvisberg","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2010\/11\/phs_trivadis4.jpg","url":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2010\/11\/phs_trivadis4.jpg","contentUrl":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2010\/11\/phs_trivadis4.jpg","width":400,"height":400,"caption":"Philipp Salvisberg"},"logo":{"@id":"https:\/\/www.salvis.com\/blog\/wp-content\/uploads\/2010\/11\/phs_trivadis4.jpg"},"sameAs":["http:\/\/www.salvis.com\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/posts\/19914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/comments?post=19914"}],"version-history":[{"count":79,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/posts\/19914\/revisions"}],"predecessor-version":[{"id":20087,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/posts\/19914\/revisions\/20087"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/media\/20076"}],"wp:attachment":[{"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/media?parent=19914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/categories?post=19914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.salvis.com\/blog\/wp-json\/wp\/v2\/tags?post=19914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}