tracker issue | What iT iS dESign studios

Title:

Security scanner SQLi odd guidance

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Adam Cameron / Adam Cameron (Adam Cameron)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v31 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 0

<cfquery>
INSERT INTO someTable (
uuid
)VALUES(
’#createUuid()#’
)
</cfquery>

<cfquery name="uuids">
SELECT ’#createUuid()#’ AS uuid
FROM someTable
</cfquery>

<cfset queryExecute("
INSERT INTO someTable (
uuid
)VALUES(
’#createUuid()#’
)
")>
<cfset uuids = queryExecute("
SELECT ’#createUuid()#’ AS uuid
FROM someTable
")>


The first INSERT just gets a warning; the first SELECT gets an error (if anything... should it not be the other way around? And obviously neither is actually a problem.

And apparently queryExecute() is not vulnerable in these ways, as I get no notifications on those statements.

I have to ask... is this feature ready for testing yet? Should I just leave it be?

Note: I am not specifically trying to defeat it, these examples I’m posting are reduced-complexity repro cases of actual "issues" being reported when I test proper code.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126680

External Customer Info:
External Company: Straker Interactive
External Customer Name: Adam Cameron
External Customer Email: CAMERON.ADAM@GMAIL.COM
External Test Config:

Attachments:

Comments:

Adding BUG AUDIT TRAIL 

********action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:28:17.0	
action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:28:17.0	
action: updated fieldName: Reason newValue: Blank oldValue: Fixed oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:28:17.0	
action: updated fieldName: Status newValue: Fixed oldValue: ToTest oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:28:17.0	
action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:28:17.0	
action: updated fieldName: Date Closed newValue: 2015-09-21 23:28:17.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-22 06:28:17.0	
action: updated fieldName: Fixed By newValue: uogra oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:51:05.0	
action: updated fieldName: Owner newValue: preethi oldValue: uogra oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:51:05.0	
action: updated fieldName: Reason newValue: Fixed oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:51:05.0	
action: updated fieldName: Status newValue: ToTest oldValue: ToFix oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:51:05.0	
action: updated fieldName: Changelist newValue: 295593 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:51:05.0	
action: updated fieldName: Date Fixed newValue: 2015-09-21 04:51:05.0 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-21 11:51:05.0	
action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:37:16.0	
action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:37:16.0	
action: updated fieldName: Fix By Product Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:37:16.0	
action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:37:16.0	
action: updated fieldName: Fix By Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:37:16.0	
action: updated fieldName: Owner newValue: uogra oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:37:16.0	
action: updated fieldName: Fix By Product Milestone newValue: Blank oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:25:07.0	
action: updated fieldName: Dev Assigned newValue: uogra oldValue: bukkittu oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:25:07.0	
action: updated fieldName: Product newValue: ColdFusion oldValue: ColdFusion Builder oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:25:07.0	
action: updated fieldName: Version newValue: 12.0 oldValue: 3.1 oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:25:07.0	
action: updated fieldName: QE Assigned newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:25:07.0	
action: updated fieldName: Owner newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:25:07.0

Comment by CFwatson U.

3529 | March 09, 2016 04:36:27 AM GMT

Added By:preethi	Note Added: Fix will be available in the next release.
Thanks!	Date Added :2015-09-22 06:28:47.0	
Added By: PreRelease User	User Name:Adam Cameron	Note Added: Entered Bug.	Date Added :2015-07-21 10:14:25.0

Comment by CFwatson U.

3530 | March 09, 2016 04:36:29 AM GMT

tracker issue : CF-4126680

Security scanner SQLi odd guidance