Sorcerer's Tower

QueryParam Scanner v0.7-dev

The latest development version of qpScanner is now in SVN at RIAForge.

It would be great if people could test it out and let me know of any issues they encounter.

As before, it is all self-contained, so it can be installed and run with minimal effort.

Note: As this is still the development version, you need to use the zip option at the bottom of the RIAForge page, not the "Download Project" link - the button will only give the old version.

When released, v0.7 will be a significant new version, so here is a quick discussion of the new features.

Significantly faster processing

Due to some awful code, v0.6 wasn't very fast - taking approximately 2 minutes to scan 1331 files.

With v0.7 things are much improved, and the same set of files takes 2-3 seconds to scan.
(Obviously performance will vary depending on files scanned plus the machine and CFML engine you use.)


More accurate scanning - reduced false positives

Previously, code such as <cfelseif doSomething("like#this#")> - where hashes are used inside CF tags - was reported as a risk. This has now been fixed, so there should be fewer (if any) false positives.


Multiple output formats

In addition to HTML output, you can now also specify XML or WDDX, to help handle the results with external tools.


Ability to specify file/directory exclusions

You can now specify a Regular Expression to determine files or directories to exclude.

A bit crude, but it works. I intend to extend this feature in future versions, to allow easier management and skip known metadata (e.g. .svn directories)


Include/exclude Query of Queries and built-in CFML functions

With v0.7 you can choose to ignore Query of Queries, which are less likely to be a risk.

You can also choose to ignore functions that return 'safe' values, such as #Now()#, #Val(...)#, #ArrayLen(...)#


Ability to override the Request Timeout

It is now possible to override the default Request Timeout setting. If the scanner times out before finishing it will still return what it found up until that point.


qpScanner Eclipse Plugin

This is not yet in SVN, but it will be a part of the final v0.7 release.

I will be writing an entire blog entry about this plugin and my experiences in developing it (my first Eclipse plugin), but to quickly summarise: the plugin will allow you to conveniently scan files, directories, or projects from within CFEclipse, and it will support ad hoc configurations per project to be setup.


Auto-fixing missing cfqueryparams - coming in v0.8

I had hoped to have auto-fixing with the next release, but it is not ready yet. Rather than make people wait for the improvements I've already made, I decided I will postpone the autofixing until the following version.


If you have any problems or questions, please add a comment, or visit the QueryParam Scanner project page for contact details.