tracker issue : CF-4126912

select a category, or use search below
(searches all categories and all time range)
Title:

Inconsistent XSS markings for built-in-functions (BIF) that return integers

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type:

Found In Build/Fixed In Build: CF2016_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: ALL / Win 2008 Server R2 64 bit

Vote Count: 0

Duplicate ID:	CF-4126413

Problem Description:

Given the code:
<cfparam name="url.id" default="1.5" type="numeric" />

<cfoutput>
#ceiling(url.id)#<br>
#floor(url.id)#<br>
#round(url.id)#<br>
</cfoutput>



Actual Result:

The security analyzer marks the lines with ceiling() and floor() as XSS, Warning, Low and does not mark the round() line.


Expected Result:

It should not mark any of the lines since the functions return an integer. All BIFs that return an integer should not be marked as XSS vulnerability.

Any Workarounds:

None.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126912

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email:

Attachments:

Comments:

Hi David, We had a pre-release bug raised related to a particular built-in function. And we are handling the scenarios related to built-in functions as part of that bug. Will be adding these functions too, to that list and hence will be closing this ticket. Thanks, Preethi
Comment by S P.
3317 | March 14, 2016 03:27:36 AM GMT
Preethi, Could you please include the existing bug id this is duplicate of? Since it appears that pre-release bugs were migrated over the the public bugbase, it should be viewable. Also while there might be an existing bug regarding BIFs this is a specific instance of where the existing behavior of the security analyzer is inconsistent and another test case that can be used to validate it.
Comment by External U.
3318 | March 15, 2016 02:03:08 PM GMT
Hi David, I had included the bug id of the other bug, in the duplicate id field. Also, have added the scenarios that you have specified to the same bug thereby increasing the scope. Thanks, Preethi
Comment by S P.
3319 | March 16, 2016 06:30:39 AM GMT
Preethi, Actually the "duplicate" deals with BIFs and SQLi. This ticket is regarding BIFs and XSS. So while the fix for BIFs and getting flagged by the security analyzer is most like the same, they are separate issues given the vulnerability type.
Comment by External U.
3320 | March 16, 2016 09:00:34 AM GMT
Hi David, This scenario wrt BIFs can occur with other vulnerability types and since the fix would be same for all of them as you have mentioned yourself, we are tracking it as part of the same bug because, otherwise we will have to log different bugs for each vulnerability type. Thanks, Preethi
Comment by S P.
3321 | March 21, 2016 05:53:59 AM GMT