Fixinator fixes unscoped variables
By Pete Freitag
Last week's Adobe ColdFusion security update disabled searchImplicitScopes by default. Prior to that update, and for the past twenty five years, ColdFusion would search through the all the possible scopes until it found a matching variable.
As you can imagine this change caused quite a bit of work for ColdFusion developers who might have an unscoped variable or two in their applications. Many people had to set searchImplicitScopes=true
while they update their code. Since this change impacts security, I thought it would make sense to add some new features to Fixinator, my CFML code security scanning tool to help you easily find and fix (in some cases) these issues.
I'm happy to announce that today I've released Fixinator version 4.1.0 which can find such unscoped variables, and in many cases suggest a fix. Here's a demo:
In that example above it is suggesting to scope the variable with the query name as one of the options. That is a good example I think because it illustrates some of the complexity in finding these issues. If we are referencing a query column in a cfoutput with a query, then we actually don't technically need to scope this variable for it to work with searchImplicitScopes=false
, but we don't have any way of knowing in this case what the columns of the query are.
Intelligent Scanning
Now here's where Fixinator gets a bit more intelligent. Suppose you had defined a cfquery on the same page as the cfoutput tag. Fixinator would then know you are referencing a column of the query (as opposed to a form, url, cgi, cookie variable) which could be left unscoped.
So in other words, Fixinator is smart enough to know that this does not need to be fixed:
<cfquery name="myQuery"> SELECT some_variable FROM some_table </cfquery> <cfoutput encodefor="html" query="myQuery"> #some_variable# </cfoutput>
But what if you wanted to find and fix such cases anyways... well you can run fixinator with confidence=none
to show ALL the unscoped variables in your application.
To be clear, I am not advocating for mixing the model (cfquery) and view (cfoutput) tiers, but there are plenty of old applications written that way.
Fixinator is also smart enough to know that code like this will not search implicit scopes, so it won't flag code like this:
<cfset x = 1> <cfoutput encodefor="html"> #x# </cfoutput>
There are several other cases that it has to take into account such as arguments, local scope, var scope, etc.
How can I scan for just unscoped variables?
To scan for just this issue with fixinator you can use the option includeScanners=unscoped-variable
along with confidence=low
. As of this release these findings are marked with a low confidence, because it can be difficult to know for sure if there is an issue or not, due to including templates that might set the variable in the variables scope in one template, then use it in another. Fixinator runs at confidence=medium
by default so it will not pick them up unless you lower the confidence level.
Update: As of October 2024, Fixinator has a ColdFusion Compatibility Scanning Mode which can find all sorts of compatibility issues, including this one.
Ignoring on other engines
If you happen to be running lucee, and you don't want to see these issues in your report you can pass engines=lucee
to fixinator. By default issues for both Adobe and Lucee are returned, unless you tell it to focus on just one.
You can also use the ignoreScanners=unscoped-variable
option to skip this scanner.
Flagging searchImplicitScopes=true
In this update, Fixinator now also flags searchImplicitScopes=true
in your Application.cfc or Application.cfm files. This way you won't forget to remove this setting once you've fixed all the unscoped variables in your code.
How do I get this?
If you are already a customer using our cloud based scanning api then you don't need to do anything, the findings will show up on your next report. If you are an enterprise customer running your own Fixinator server, you'll need to login to your account, and download the latest copy. If you are not yet a customer, then you can start by downloading a free trial.
Fixinator fixes unscoped variables was first published on March 21, 2024.
If you like reading about fixinator, coldfusion, or security then you might also like:
- Ways to suppress a finding in Fixinator
- Fixinator and Foundeo Security Bundle
- Fixinator's New Compatibility Scanner
- ColdFusion Summit 2024 Slides: 20 ways to secure CF
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.
Try Fixinator