tracker issue : CF-4126670

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer - Does not flag incorrect EncodeFor Contexts

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Enhancement Request

Found In Build/Fixed In Build: Alpha_v12 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 0

The security analyzer seems to only be checking for EncodeForHTML regardless of the context of where the variable is used. This is incorrect. If the variable is being used in an HTML attribute if should flag a warning if EncodeForHTML is being used and not EncodeForHTMLAddtribute. The same can be said doe CSS, Javascript, and all other encoders that are in ESAPI.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126670

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email: dcepler@dcepler.net
External Test Config: Friendly Name: Current MBP
System Type: Laptop
Brand: Apple 
Model: Mid-2012 15"
Processor Type: Intel Core i7
Processor Speed: 2GHz to 3GHz
Memory: 8GB to 16GB
Hard Drive Storage: 500GB-1TB
Peripherals: LCD Display
Peripherals: Web-Cam
Connectivity: Ethernet
Connectivity: Wireless 802.11 N
Interfaces: Firewire
Interfaces: USB 2.x
Media: CD
Media: CD-R
Media: CD-RW
Media: DVD
Media: DVD+R
Media: DVD-R
Media: SD Card
Primary Operating System: Mac OS X 10.9 (Mavericks)
Secondary Operating System: Windows 7 64
System Location: Other
Time Owned: 2 to 3 Years


Bug File Paths:
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion\12.0\Alpha_v12\4026100\EncodeForCSS.cfm
	 
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion\12.0\Alpha_v12\4026100\EncodeForJavascript.cfm
	 
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion\12.0\Alpha_v12\4026100\EncodeForHTMLAttrbiute.cfm

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Date Closed newValue: 2015-10-29 02:30:39.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 09:30:40.0 action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 09:30:40.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 09:30:40.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 09:30:40.0 action: updated fieldName: Status newValue: Fixed oldValue: ToTest oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 09:30:40.0 action: updated fieldName: Reason newValue: Blank oldValue: Fixed oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 09:30:40.0 action: updated fieldName: Fixed By newValue: uogra oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-19 10:11:38.0 action: updated fieldName: Date Fixed newValue: 2015-10-19 03:11:38.0 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-19 10:11:38.0 action: updated fieldName: Owner newValue: preethi oldValue: uogra oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-19 10:11:38.0 action: updated fieldName: Changelist newValue: 296038 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-19 10:11:38.0 action: updated fieldName: Status newValue: ToTest oldValue: ToFix oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-19 10:11:38.0 action: updated fieldName: Reason newValue: Fixed oldValue: Investigate oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-19 10:11:38.0 action: updated fieldName: Severity newValue: 0 oldValue: 2 oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-23 11:11:16.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: sanniset oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 11:04:46.0 action: updated fieldName: Owner newValue: uogra oldValue: sanniset oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 11:04:46.0 action: updated fieldName: Fix By Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Owner newValue: sanniset oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Fix By Product Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Duplicate Bug ID newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Reason newValue: Investigate oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0 action: updated fieldName: Severity newValue: 2 oldValue: 3 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 10:49:26.0
Comment by CFwatson U.
3543 | March 09, 2016 04:31:17 AM GMT
Added By:uogra Note Added: We have made the changes for encodeforcss, encodeforjavascript and encodeforhtmlattribute Date Added :2015-10-29 09:26:31.0 Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 13:09:04.0
Comment by CFwatson U.
3544 | March 09, 2016 04:31:19 AM GMT