tracker issue : CF-4126537

select a category, or use search below
(searches all categories and all time range)
Title:

Code Analyzer False Negative

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Jason Dean / Jason Dean (Jason Dean)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha3_v31 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 0

Listed in the version 2016.0.02.299200 Issues Fixed doc 
Problem Description:

This code should be flagged for SQLi, it is not. 

component {
       
        public function getUserByID( numeric id ) {
               
                var q = new Query( );
               
                q.setDataSource( "MyDSN" );
                q.setName( "user" );
               
                q.setSql( "SELECT username, password FROM users WHERE userid = #ARGUMENTS.id#" );
               
                var result = q.execute( );
               
                return result;         
        }
       
}

Steps to Reproduce:
1. Paste code into file
2. Run code analyzer

Actual Result:
No warning

Expected Result:
Flagged for SQLi vulnerablity

Any Workarounds:
None

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126537

External Customer Info:
External Company: MDH
External Customer Name: Jason Dean
External Customer Email: JASON@12ROBOTS.COM
External Test Config:

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Fix By Product Milestone newValue: HF2 oldValue: Gold Master oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-29 12:56:23.0 action: updated fieldName: Fix By Milestone newValue: Post Release oldValue: Gold Master oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-29 12:56:23.0 action: updated fieldName: Fix By Milestone newValue: Gold Master oldValue: Alpha oprid: rukumar recordName: RQ_DEFECT timpestamp: 2015-12-21 17:08:52.0 action: updated fieldName: Fix By Product Milestone newValue: Gold Master oldValue: Alpha oprid: rukumar recordName: RQ_DEFECT timpestamp: 2015-12-21 17:08:52.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 04:57:23.0 action: updated fieldName: Owner newValue: uogra oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 04:57:23.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 04:57:23.0 action: updated fieldName: Fix By Milestone newValue: Alpha oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 04:57:23.0 action: updated fieldName: Fix By Product Milestone newValue: Alpha oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 04:57:23.0 action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 04:57:23.0 action: updated fieldName: Version newValue: 12.0 oldValue: 3.1 oprid: prk recordName: RQ_DEFECT timpestamp: 2015-10-27 06:24:04.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: bukkittu oprid: prk recordName: RQ_DEFECT timpestamp: 2015-10-27 06:24:04.0 action: updated fieldName: Product newValue: ColdFusion oldValue: ColdFusion Builder oprid: prk recordName: RQ_DEFECT timpestamp: 2015-10-27 06:24:04.0 action: updated fieldName: QE Assigned newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-10-27 06:24:04.0 action: updated fieldName: Owner newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-10-27 06:24:04.0 action: updated fieldName: Fix By Product Milestone newValue: Blank oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2015-10-27 06:24:04.0
Comment by CFwatson U.
3817 | March 09, 2016 02:30:23 AM GMT
Added By: PreRelease User User Name:Jason Dean Note Added: Entered Bug. Date Added :2015-10-26 20:57:46.0
Comment by CFwatson U.
3818 | March 09, 2016 02:30:24 AM GMT
The fix will be available in update 2 of ColdFusion 2016. Thanks!
Comment by S P.
3819 | May 12, 2016 09:33:04 AM GMT
test note
Comment by CFwatson U.
3820 | June 07, 2016 04:18:18 AM GMT
The fix for this bug is available as part of the early-access build for ColdFusion 2016 Update 2.
Comment by CFwatson U.
3821 | June 07, 2016 04:24:57 AM GMT