From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Aaron Greenlee
Sent: Thursday, 12 August 2010 1:33 AM
To: ColdBox Platform
Subject: [coldbox:5194] Blogged: ColdFusion, ColdBox and ORM: Data
Security
I just blogged a quick tip on preventing users from manipulating your ORM
application with ColdBox.
In particular, the validation rules are in the bean definition, the
first code posting on that page:
19
/** Used to capture the password from the User.
20
Hyrule Rules
21 @Password 6,20,medium */
22
property name='PasswordPlain' length='35' setter=false;
23
24
/** Used only for validation on password changes.
25
Hyrule Rules
26 @IsMatch PasswordPlain */
27
property name='PasswordConfirm' persistent=false length='35';
The first rule says that it is a password, should be between 6 and 20
characters and meet the "Medium" strength definition. The second rule
says that PasswordConfirm should match the field PasswordPlain.
My point is simple, if there was a condition to see if the passwordPlain and
passwordConfirm match before populating the bean, then the blog becomes
obsolete in that example.
I don't see how the validation service is doing this check. In other words
it won't matter if the passwords match, because it will always change the
password in this example.
The blog has been opened to a small team to help get it ready for
prime time. If you would like to help get it ready for public
consumption, I can add you to the Assembla space.
Ah, here is the bit of code (in the handler) that does the part you
are asking about:
// Data Validation
32
if (!ValidationService.validate(rc.User)) {
33
// Invalid User Input. Send back to the form.
34
Flash.persistRC('User');
35
setNextEvent('user.changePassword');
36
}
37
38
// The data is valid, so, save the User's new password
39
ORMService.save(rc.User);
40
41
setNextEvent('user.showUpdate');
So you pass the populated bean to the ValidationService which returns
a boolean. If it doesn't pass the validation check, the code does a
setNextEvent back to the form which will do an immediate redirect,
meaning that it never hits the ORMService.save(rc.User) call. If it
does pass validation, then it will hit the ORMService call, save it,
then do a redirect to the showUpdate event.
Ah, here is the bit of code (in the handler) that does the part you are
asking
about:
// Data Validation
32
if (!ValidationService.validate(rc.User)) {
33
// Invalid User Input. Send back to the form.
34
Flash.persistRC('User');
35
setNextEvent('user.changePassword');
36
}
37
38
// The data is valid, so, save the User's new password
39
ORMService.save(rc.User);
40
41
setNextEvent('user.showUpdate');
So you pass the populated bean to the ValidationService which returns a
boolean. If it doesn't pass the validation check, the code does a
setNextEvent back to the form which will do an immediate redirect, meaning
that it never hits the ORMService.save(rc.User) call. If it does pass
validation,
then it will hit the ORMService call, save it, then do a redirect to the
showUpdate event.
Cheers,
Judah
> Thanks Judah, I am aware of that.
>
> My point is simple, if there was a condition to see if the
> passwordPlain and passwordConfirm match before populating the bean,
> then the blog becomes obsolete in that example.
>
> I don't see how the validation service is doing this check. In other
> words it won't matter if the passwords match, because it will always
> change the password in this example.
>
>
> Regards,
> Andrew Scott
> http://www.andyscott.id.au/
>
>
>
>> From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com]
On
>> Behalf Of Judah McAuley
>> Sent: Thursday, 12 August 2010 3:11 AM
>> To: coldbox@googlegroups.com
>> Subject: Re: [coldbox:5202] Blogged: ColdFusion, ColdBox and ORM:
>> Data Security
>>
>> The details would be in the ValidationService, which isn't shown, but
>> he seems to be using HyRule annotations. HyRule is a RiaForge project
>> aimed
> at
>> doing validation that fits in nicely with Hibernate. Read up on Dan
>> Vega's
>> blog:
>> http://www.danvega.org/blog/index.cfm/2009/11/23/Getting-started-
with
>> -
>> Hyrule-validation-framework
>>
>> In particular, the validation rules are in the bean definition, the
>> first
> code
>> posting on that page:
>>
>> 19
>> /** Used to capture the password from the User.
>> 20
>> Hyrule Rules
>> 21
>> @Password 6,20,medium */
>> 22
>> property name='PasswordPlain' length='35' setter=false;
>> 23
>>
>> 24
>> /** Used only for validation on password changes.
>> 25
>> Hyrule Rules
>> 26
>> @IsMatch PasswordPlain */
>> 27
>> property name='PasswordConfirm' persistent=false length='35';
>>
>>
>> The first rule says that it is a password, should be between 6 and 20
>> characters and meet the "Medium" strength definition. The second rule
>> says that PasswordConfirm should match the field PasswordPlain.
>>
>> Hope that helps,
>> Judah
>>
>> > Call me stupid if you like, but how is that checking to see if
>> > password and passwordConfirm match?
>> >
>> >
>> > Regards,
>> > Andrew Scott
>> > http://www.andyscott.id.au/
>> >
>> >
>> >> From: coldbox@googlegroups.com
[mailto:coldbox@googlegroups.com]
>> On
>> >> Behalf Of Aaron Greenlee
>> >> Sent: Thursday, 12 August 2010 1:33 AM
>> >> To: ColdBox Platform
>> >> Subject: [coldbox:5194] Blogged: ColdFusion, ColdBox and ORM: Data
>> >> Security
>> >>
>> >> I just blogged a quick tip on preventing users from manipulating
>> >> your ORM application with ColdBox.
>> >>
>> >> You can read about it here:
>> >> http://aarongreenlee.com/share/coldbox-coldfusion-orm-data-securit
>> >> y/
>> >>
>> >> Hopefully, everyone is already doing this. If not, take a moment
>> >> to lock
>> > down
>> >> your app. ColdBox makes this so easy there is no reason not to do
Any chance you can share that wrapper in here today? I am really curious how this works in ColdBox as there absolutely no examples on this for ColdBox at the moment.
I've updated the post to include the BaseObject that User extends (in
production) and the ValidationService (which requires the object that
it is validating has the "error methods".
From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Aaron Greenlee
Sent: Thursday, 12 August 2010 5:37 AM
To: ColdBox Platform
Subject: [coldbox:5212] Re: Blogged: ColdFusion, ColdBox and ORM: Data
Security
I've updated the post to include the BaseObject that User extends (in
production) and the ValidationService (which requires the object that it
Thanks. Fixed my var issue. I messed it up when porting it for the Blog.
I’m going to use your recommendation to extend Hyrule from ColdBox. When I started this a few months ago Hyrule was new on the block and not yet in ColdBox. I forgot I could simplify. I appreciate it.
Ok, I thought I would share this with others. I am not sure if this is a Coldbox problem or not, but the following code will crash the ColdFusion service.
From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Aaron Greenlee
Sent: Thursday, 12 August 2010 5:37 AM
To: ColdBox Platform
Subject: [coldbox:5212] Re: Blogged: ColdFusion, ColdBox and ORM: Data
Security
I've updated the post to include the BaseObject that User extends (in
production) and the ValidationService (which requires the object that it