Last week’s Adobe ColdFusion security update disabled searchImplicitScopes by default. Prior to that update, and for the past twenty five years, ColdFusion would search through the all the possible scopes until it found a matching variable.

As you can imagine this change caused quite a bit of work for ColdFusion developers who might have an unscoped variable or two in their applications. Many people had to set searchImplicitScopes=true while they update their code. Since this change impacts security, I thought it would make sense to add some new features to Fixinator, my CFML code security scanning tool to help you easily find and fix (in some cases) these issues.

I’m happy to announce that today I’ve released Fixinator version 4.1.0 which can find such unscoped variables, and in many cases suggest a fix. Here’s a demo:

fixinator unscoped variable screenshot

In that example above it is suggesting to scope the variable with the query name as one of the options. That is a good example I think because it illustrates some of the complexity in finding these issues. If we are referencing a query column in a cfoutput with a query, then we actually don’t technically need to scope this variable for it to work with searchImplicitScopes=false, but we don’t have any way of knowing in this case what the columns of the query are.

Intelligent Scanning

Now here’s where Fixinator gets a bit more intelligent. Suppose you had defined a cfquery on the same page as the cfoutput tag. Fixinator would then know you are referencing a column of the query (as opposed to a form, url, cgi, cookie variable) which could be left unscoped.

So in other words, Fixinator is smart enough to know that this does not need to be fixed:

<cfquery name="myQuery">
    SELECT some_variable 
    FROM some_table
</cfquery>
<cfoutput encodefor="html" query="myQuery">
     #some_variable#
</cfoutput>

But what if you wanted to find and fix such cases anyways… well you can run fixinator with confidence=none to show ALL the unscoped variables in your application.

To be clear, I am not advocating for mixing the model (cfquery) and view (cfoutput) tiers, but there are plenty of old applications written that way.

Fixinator is also smart enough to know that code like this will not search implicit scopes, so it won’t flag code like this:

<cfset x = 1>
<cfoutput encodefor="html">
    #x#
</cfoutput>

There are several other cases that it has to take into account such as arguments, local scope, var scope, etc.

How can I scan for just unscoped variables?

To scan for just this issue with fixinator you can use the option includeScanners=unscoped-variable along with confidence=low. As of this release these findings are marked with a low confidence, because it can be difficult to know for sure if there is an issue or not, due to including templates that might set the variable in the variables scope in one template, then use it in another. Fixinator runs at confidence=medium by default so it will not pick them up unless you lower the confidence level.

Ignoring on other engines

If you happen to be running lucee, and you don’t want to see these issues in your report you can pass engines=lucee to fixinator. By default issues for both Adobe and Lucee are returned, unless you tell it to focus on just one.

You can also use the ignoreScanners=unscoped-variable option to skip this scanner.

Flagging searchImplicitScopes=true

In this update, Fixinator now also flags searchImplicitScopes=true in your Application.cfc or Application.cfm files. This way you won’t forget to remove this setting once you’ve fixed all the unscoped variables in your code.

How do I get this?

If you are already a customer using our cloud based scanning api then you don’t need to do anything, the findings will show up on your next report. If you are an enterprise customer running your own Fixinator server, you’ll need to login to your account, and download the latest copy. If you are not yet a customer, then you can start by downloading a free trial.

Fixinator fixes unscoped variables was first published on March 21, 2024.

Similar Posts