tracker issue | What iT iS dESign studios

Title:

Security Code Analyzer reports false positives for upload code, and repeats warnings/errors

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): A. Bakia / A. Bakia (A. Bakia)

Created: 03/18/2016

Components: Security Code Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha_v31 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win All

Vote Count: 0

Related Bugs:
CF-4087973 - Similar to


Problem Description: 
Security Code Analyzer reports warnings and errors where there should be none. It also reports the same warnings/errors repeatedly.

Steps to Reproduce:
1) Create a new Coldfusion project in Blizzard. Copy the attached 'uploads' directory into it.
2) Right-click on the uploads directory and select 'Run Security Analyzer'.

Actual Result:
(a) uploadFiles.cfm (Type: Error / Security Level: High) 
Cfqueryparam has not been used. 
Your CFquery code is vulnerable to SQL injection.
Your CFquery code is vulnerable to SQL injection.
Your CFquery code is vulnerable to SQL injection.
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 

(b) uploadForm.cfm (Type: Error / Security Level: High) 
Your form is prone to CSRF attack
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
Your code is vulnerable to XSS attack

(c) multiUpload.cfm (Type: Error / Security Level: High) 
Your code is vulnerable to XSS attack

(d) uploadFiles.cfm (Type: Warning / Security Level: Low) 
Cfqueryparam has not been used. 
Your CFquery code is vulnerable to SQL injection.
Your CFquery code is vulnerable to SQL injection.
Your CFquery code is vulnerable to SQL injection.
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 

(e) uploadForm.cfm (Type: Warning / Security Level: Low) 
Your code is vulnerable to XSS attack
Your form is prone to CSRF attack
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 

(f) uploadForm2.cfm (Type: Warning / Security Level: Low) 
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
Your form is prone to CSRF attack

(g) uploadWithArchiving.cfm (Type: Warning / Security Level: Low) 
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
Your code is vulnerable to file injection
Your form is prone to CSRF attack

(h) uploadWithArchiving.cfm (Type: Warning / Security Level: Low) 
Your code is vulnerable to file injection
Your form is prone to CSRF attack
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 

(i) uploadForm.cfm (Type: Warning / Security Level: Low) 
Your code is vulnerable to XSS attack
Your form is prone to CSRF attack
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 

(j) uploadForm2.cfm (Type: Warning / Security Level: Low) 
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
Your form is prone to CSRF attack

(k) uploadWithArchiving.cfm (Type: Warning / Security Level: Low) 
Your code is vulnerable to file injection
Your form is prone to CSRF attack
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 
For upload and uploadall action of cffile tag , best practice is to use destination='#getTempDirectory()#' 

Expected Result:
1) I expected no repetition in the reports. They currently contain too many repetitions.
2) I find it ambiguous that a report of Type: Error / Security Level: High (a) is exactly the same as a report of Type: Warning / Security Level: Low (d).
3) My choice of upload directory, c:/uploads, is out of the webroot. So I expect no suggestion about using destination='#getTempDirectory()#'.
4) I do not expect that the "CFquery code is vulnerable to SQL injection". The inserted values come from the cffile struct.

Any Workarounds: 
Not applicable.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4130097

External Customer Info:
External Company: (withheld for privacy)
External Customer Name: A. Bakia
External Customer Email: A.BAKIG@CHELLO.NL
External Test Config:  


Bug File Paths:
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion Builder\3.1\Alpha_v31\4049701\uploads.zip

Attachments:

Comments:

Added By:prk	Note Added: Following is the status of this bug:
1. Issue is fixed, this is available in the latest release
2. This is as designed.
3. This behavior is as designed, it is just suggestion, it will be flagged as warning.
4. Tracking this issue separately, logged a different bug for the same.

Thanks!	Date Added :2015-12-22 12:35:37.0	
Added By: PreRelease User	User Name:Jason Dean	Note Added: I would love to get a copy of the attachment for this ticket to try things out.	Date Added :2015-10-26 20:28:28.0	
Added By: PreRelease User	User Name:A. Bakia	Note Added: Sorry about the missing attachment. Here it is.	Date Added :2015-09-15 07:22:30.0	
Added By:prk	Note Added: Please provide the attachment, its missing	Date Added :2015-09-14 09:52:24.0	
Added By: PreRelease User	User Name:A. Bakia	Note Added: Entered Bug.	Date Added :2015-09-04 12:46:23.0

Comment by CFwatson U.

26498 | March 18, 2016 05:30:16 AM GMT

tracker issue : CFB-4130097

Security Code Analyzer reports false positives for upload code, and repeats warnings/errors