tracker issue : CF-4126688

select a category, or use search below
(searches all categories and all time range)
Title:

Security scanner: incorrect analysis

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Adam Cameron / Adam Cameron (Adam Cameron)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v31 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 0

I put this code through the security scanner:


<cfscript>
unscopedMessage = "hi";
writeOutput(unscopedMessage);	

variables.scopedMessage = "hi";
writeOutput(variables.scopedMessage);	

variables.messageWithFunction = ucase(variables.scopedMessage);
writeOutput(variables.messageWithFunction);	

variables.messageFollowingGuidance = encodeForHtml(unscopedMessage);
writeOutput(variables.messageFollowingGuidance);	
</cfscript>



This line is singled-out with an XSS warning:


writeOutput(variables.messageWithFunction);	


Why’s that? It’s as if CF thinks that calling ucase() on its original variable (which the scanner had no problem with) somehow exposes it to XSS?


S Preethi has come back with this comment:
The Security Analyzer flags warnings when functions are involved. 
Since this is an in-built function, it is a valid scenario for not flagging it as an error/warning.
Please do raise a bug for the same. Thank You for the input!


Consider it raised.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126688

External Customer Info:
External Company: Straker Interactive
External Customer Name: Adam Cameron
External Customer Email: CAMERON.ADAM@GMAIL.COM
External Test Config:

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Reason newValue: Blank oldValue: Fixed oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-25 05:36:04.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-25 05:36:04.0 action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-25 05:36:04.0 action: updated fieldName: Status newValue: Fixed oldValue: ToTest oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-25 05:36:04.0 action: updated fieldName: Date Closed newValue: 2015-09-24 22:36:04.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-25 05:36:04.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-09-25 05:36:04.0 action: updated fieldName: Fixed By newValue: uogra oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-24 09:50:47.0 action: updated fieldName: Changelist newValue: 295714 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-24 09:50:47.0 action: updated fieldName: Reason newValue: Fixed oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-24 09:50:47.0 action: updated fieldName: Status newValue: ToTest oldValue: ToFix oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-24 09:50:47.0 action: updated fieldName: Owner newValue: preethi oldValue: uogra oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-24 09:50:47.0 action: updated fieldName: Date Fixed newValue: 2015-09-24 02:50:46.0 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-24 09:50:47.0 action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:40:09.0 action: updated fieldName: Severity newValue: 2 oldValue: 3 oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:40:09.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:33:30.0 action: updated fieldName: Status newValue: ToFix oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:33:30.0 action: updated fieldName: Fix By Product Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:33:30.0 action: updated fieldName: Fix By Milestone newValue: Beta oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:33:30.0 action: updated fieldName: Owner newValue: uogra oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-21 11:33:30.0 action: updated fieldName: Fix By Product Milestone newValue: Blank oldValue: Blank oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:26:12.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: sandeepp oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:26:12.0 action: updated fieldName: Product newValue: ColdFusion oldValue: ColdFusion Builder oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:26:12.0 action: updated fieldName: Version newValue: 12.0 oldValue: 3.1 oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:26:12.0 action: updated fieldName: QE Assigned newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:26:12.0 action: updated fieldName: Owner newValue: preethi oldValue: prk oprid: prk recordName: RQ_DEFECT timpestamp: 2015-07-21 11:26:12.0
Comment by CFwatson U.
3502 | March 09, 2016 04:38:24 AM GMT
Added By:preethi Note Added: The fix for this bug will be available in the next ColdFusion release. Thanks! Date Added :2015-09-25 05:36:04.0 Added By: PreRelease User User Name:Adam Cameron Note Added: Entered Bug. Date Added :2015-07-20 13:39:13.0
Comment by CFwatson U.
3503 | March 09, 2016 04:38:26 AM GMT