getting false positives on escaped pounds

cflint / CFLint

Static code analysis for CFML (a linter)

BSD 3-Clause "New" or "Revised" License

174 stars 84 forks source link

getting false positives on escaped pounds #571

Closed esanfordwss closed 6 years ago

esanfordwss commented 6 years ago

https://github.com/cflint/CFLint/blob/ea8ffcdf83a73b5238ed02276f2463ebde44679c/src/main/java/com/cflint/plugins/core/QueryParamChecker.java#L26

Should be [^#]#[^#] to instead of .#[^#]

ryaneberly commented 6 years ago

@esanfordwss, Thanks!

KamasamaK commented 6 years ago

There should be a test added that produces the false positive with the old pattern. Also, there should be one that handles more complex combinations like

<cfquery name="query" datasource="dsn">
    SELECT  *
    FROM    Table
    WHERE   column = '###foo###'
</cfquery>

ryaneberly commented 6 years ago

@KamasamaK. Makes sense, reopening.,

KamasamaK commented 6 years ago

I just tested with the following in 1.4.1, and still get a false positive

<cfquery name="testQuery" datasource="dsn">
    SELECT  *
    FROM    Table
    WHERE   column = '##Hello##'
</cfquery>

ryaneberly commented 6 years ago

fixed in dev.