tracker issue : CF-4126413

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer False Positive on #DateFormat(now())# and certain other built-in functions.

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Peter Freitag / Peter Freitag (Peter Freitag)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type:

Found In Build/Fixed In Build: Beta2_v31 /

Priority/Frequency: Normal / Most users will encounter

Locale/System: English / Mac All

Vote Count: 0

Listed in the version 2016.0.02.299200 Issues Fixed doc 
Problem Description: Treats #DateFormat(now())# as SQL injection in a query, though it is safe.

Steps to Reproduce: Create a file with the following and run security analyzer:

<cfquery name="test_dateformat">
	SELECT * FROM news
	WHERE d > '#DateFormat(now(), "yyyy-mm-dd")#'
</cfquery>

Actual Result: Flags as SQL Injection

Expected Result: Does not flag as SQL Injection. The tricky part of this case is if the date mask was from an untrusted variable it could possibly be SQL Injection - but should be ignored if the mask is a static string value.

Any Workarounds: n/a

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126413

External Customer Info:
External Company: Foundeo Inc.
External Customer Name: Peter Freitag
External Customer Email: PETE@FOUNDEO.COM
External Test Config:

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Fix By Milestone newValue: Post Release oldValue: Alpha oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-29 13:22:07.0 action: updated fieldName: Fix By Product Milestone newValue: HF2 oldValue: Alpha oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-29 13:22:07.0 action: updated fieldName: Version newValue: 12.0 oldValue: 3.1 oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Fix By Milestone newValue: Alpha oldValue: Blank oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: QE Assigned newValue: preethi oldValue: mukumar oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Fix By Product Milestone newValue: Alpha oldValue: Blank oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Owner newValue: uogra oldValue: mukumar oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: mchandna oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Severity newValue: 2 oldValue: 3 oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: Product newValue: ColdFusion oldValue: ColdFusion Builder oprid: mukumar recordName: RQ_DEFECT timpestamp: 2016-02-07 10:40:04.0 action: updated fieldName: QE Assigned newValue: mukumar oldValue: prk oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-07 09:38:20.0 action: updated fieldName: Dev Assigned newValue: mchandna oldValue: bukkittu oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-07 09:38:20.0 action: updated fieldName: Owner newValue: mukumar oldValue: prk oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-07 09:38:20.0
Comment by CFwatson U.
4208 | March 09, 2016 01:59:13 AM GMT
Added By: PreRelease User User Name:Peter Freitag Note Added: Entered Bug. Date Added :2016-02-05 17:21:05.0
Comment by CFwatson U.
4209 | March 09, 2016 01:59:14 AM GMT
Few other scenarios for built-in-functions (BIF) that return integers: <cfparam name="url.id" default="1.5" type="numeric" /> <cfoutput> #ceiling(url.id)#<br> #floor(url.id)#<br> #round(url.id)#<br> </cfoutput>
Comment by S P.
4210 | March 14, 2016 03:27:23 AM GMT
The fix will be available in the update 2 of ColdFusion 2016. It has handled the date/time in-built functions and mathematical in-built functions that return integers. Thanks!
Comment by S P.
4211 | May 18, 2016 11:40:40 PM GMT
test note
Comment by CFwatson U.
4212 | June 07, 2016 04:18:34 AM GMT
The fix for this bug is available as part of the early-access build for ColdFusion 2016 Update 2.
Comment by CFwatson U.
4213 | June 07, 2016 04:25:16 AM GMT