Blogged: ColdFusion, ColdBox and ORM: Data Security

I just blogged a quick tip on preventing users from manipulating your
ORM application with ColdBox.

You can read about it here:
http://aarongreenlee.com/share/coldbox-coldfusion-orm-data-security/

Hopefully, everyone is already doing this. If not, take a moment to
lock down your app. ColdBox makes this so easy there is no reason not
to do so!

Thanks,

Aaron Greenlee

Thanks Aaron, include/exclude are precious!!

Also, when is your blog going to be ready ? I want to migrate my blog to it?

Luis F. Majano
President
Ortus Solutions, Corp

ColdBox Platform: http://www.coldbox.org
Linked In: http://www.linkedin.com/pub/3/731/483
Blog: http://www.luismajano.com
IECFUG Manager: http://www.iecfug.com

Nice post Aaron (sorry about being dense on twitter earlier!)

Think I’ve spotted a minor typo if it helps;

if (!ValidationService.validate(User)) {

should be

if (!ValidationService.validate(rc.User)) {

and

ORMService.save(User);

should be

ORMService.save(rc.User);

Hope that’s useful and I’m not just being irritating :slight_smile:

@Luis, I did blog about the environment control changes in CB3 if you’re aggregating them.
http://www.aliaspooryorik.com/blog/index.cfm/e/posts.details/post/coldbox-environments-using-machine-name-279

There’s so much cool stuff in 3 I expect I’ll add some more soon - thanks for all the hard work.

  • John

Call me stupid if you like, but how is that checking to see if password and
passwordConfirm match?

Regards,
Andrew Scott
http://www.andyscott.id.au/

From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Aaron Greenlee
Sent: Thursday, 12 August 2010 1:33 AM
To: ColdBox Platform
Subject: [coldbox:5194] Blogged: ColdFusion, ColdBox and ORM: Data
Security

I just blogged a quick tip on preventing users from manipulating your ORM
application with ColdBox.

You can read about it here:
Aaron Greenlee's Notes

Hopefully, everyone is already doing this. If not, take a moment to lock

down

The details would be in the ValidationService, which isn't shown, but
he seems to be using HyRule annotations. HyRule is a RiaForge project
aimed at doing validation that fits in nicely with Hibernate. Read up
on Dan Vega's blog:
http://www.danvega.org/blog/index.cfm/2009/11/23/Getting-started-with-Hyrule-validation-framework

In particular, the validation rules are in the bean definition, the
first code posting on that page:

19
    /** Used to capture the password from the User.
20
        Hyrule Rules
21
        @Password 6,20,medium */
22
    property name='PasswordPlain' length='35' setter=false;
23

24
    /** Used only for validation on password changes.
25
        Hyrule Rules
26
        @IsMatch PasswordPlain */
27
    property name='PasswordConfirm' persistent=false length='35';

The first rule says that it is a password, should be between 6 and 20
characters and meet the "Medium" strength definition. The second rule
says that PasswordConfirm should match the field PasswordPlain.

Hope that helps,
Judah

Thanks Judah, I am aware of that.

My point is simple, if there was a condition to see if the passwordPlain and
passwordConfirm match before populating the bean, then the blog becomes
obsolete in that example.

I don't see how the validation service is doing this check. In other words
it won't matter if the passwords match, because it will always change the
password in this example.

Regards,
Andrew Scott
http://www.andyscott.id.au/

From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Judah McAuley
Sent: Thursday, 12 August 2010 3:11 AM
To: coldbox@googlegroups.com
Subject: Re: [coldbox:5202] Blogged: ColdFusion, ColdBox and ORM: Data
Security

The details would be in the ValidationService, which isn't shown, but he
seems to be using HyRule annotations. HyRule is a RiaForge project aimed

at

doing validation that fits in nicely with Hibernate. Read up on Dan Vega's
blog:
http://www.danvega.org/blog/index.cfm/2009/11/23/Getting-started-with-
Hyrule-validation-framework

In particular, the validation rules are in the bean definition, the first

code

Thanks everyone.

Andrew,
To verify the passwords match, I use Hyrule. Hyrule has a rule which I applied in the JavaDoc notation “@IsMatch PasswordPlain”.

My next post may be on a wrapper I use for Hyrule.

Thanks,

Aaron

Luis,

The blog has been opened to a small team to help get it ready for
prime time. If you would like to help get it ready for public
consumption, I can add you to the Assembla space.

Thanks,

Aaron

Cheers Aaron, I am not too familiar with Hyrule as yet, so I was interested to see how it was happening and didn’t see that.

Any chance you can post or blog the ValidationService for others, I am personally interested in what you have done in that.

Regards,

Andrew Scott

http://www.andyscott.id.au/

Ah, here is the bit of code (in the handler) that does the part you
are asking about:

// Data Validation
32
        if (!ValidationService.validate(rc.User)) {
33
            // Invalid User Input. Send back to the form.
34
            Flash.persistRC('User');
35
            setNextEvent('user.changePassword');
36
        }
37

38
        // The data is valid, so, save the User's new password
39
        ORMService.save(rc.User);
40

41
        setNextEvent('user.showUpdate');

So you pass the populated bean to the ValidationService which returns
a boolean. If it doesn't pass the validation check, the code does a
setNextEvent back to the form which will do an immediate redirect,
meaning that it never hits the ORMService.save(rc.User) call. If it
does pass validation, then it will hit the ORMService call, save it,
then do a redirect to the showUpdate event.

Cheers,
Judah

No, it is actually that I missed line 26 of the entity Judah.

Regards,
Andrew Scott
http://www.andyscott.id.au/

From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Judah McAuley
Sent: Thursday, 12 August 2010 3:40 AM
To: coldbox@googlegroups.com
Subject: Re: [coldbox:5208] Blogged: ColdFusion, ColdBox and ORM: Data
Security

Ah, here is the bit of code (in the handler) that does the part you are

asking

about:

// Data Validation
32
        if (!ValidationService.validate(rc.User)) {
33
            // Invalid User Input. Send back to the form.
34
            Flash.persistRC('User');
35
            setNextEvent('user.changePassword');
36
        }
37

38
        // The data is valid, so, save the User's new password
39
        ORMService.save(rc.User);
40

41
        setNextEvent('user.showUpdate');

So you pass the populated bean to the ValidationService which returns a
boolean. If it doesn't pass the validation check, the code does a
setNextEvent back to the form which will do an immediate redirect, meaning
that it never hits the ORMService.save(rc.User) call. If it does pass

validation,

then it will hit the ORMService call, save it, then do a redirect to the
showUpdate event.

Cheers,
Judah

> Thanks Judah, I am aware of that.
>
> My point is simple, if there was a condition to see if the
> passwordPlain and passwordConfirm match before populating the bean,
> then the blog becomes obsolete in that example.
>
> I don't see how the validation service is doing this check. In other
> words it won't matter if the passwords match, because it will always
> change the password in this example.
>
>
> Regards,
> Andrew Scott
> http://www.andyscott.id.au/
>
>
>
>> From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com]
On
>> Behalf Of Judah McAuley
>> Sent: Thursday, 12 August 2010 3:11 AM
>> To: coldbox@googlegroups.com
>> Subject: Re: [coldbox:5202] Blogged: ColdFusion, ColdBox and ORM:
>> Data Security
>>
>> The details would be in the ValidationService, which isn't shown, but
>> he seems to be using HyRule annotations. HyRule is a RiaForge project
>> aimed
> at
>> doing validation that fits in nicely with Hibernate. Read up on Dan
>> Vega's
>> blog:
>> http://www.danvega.org/blog/index.cfm/2009/11/23/Getting-started-
with
>> -
>> Hyrule-validation-framework
>>
>> In particular, the validation rules are in the bean definition, the
>> first
> code
>> posting on that page:
>>
>> 19
>> /** Used to capture the password from the User.
>> 20
>> Hyrule Rules
>> 21
>> @Password 6,20,medium */
>> 22
>> property name='PasswordPlain' length='35' setter=false;
>> 23
>>
>> 24
>> /** Used only for validation on password changes.
>> 25
>> Hyrule Rules
>> 26
>> @IsMatch PasswordPlain */
>> 27
>> property name='PasswordConfirm' persistent=false length='35';
>>
>>
>> The first rule says that it is a password, should be between 6 and 20
>> characters and meet the "Medium" strength definition. The second rule
>> says that PasswordConfirm should match the field PasswordPlain.
>>
>> Hope that helps,
>> Judah
>>
>> > Call me stupid if you like, but how is that checking to see if
>> > password and passwordConfirm match?
>> >
>> >
>> > Regards,
>> > Andrew Scott
>> > http://www.andyscott.id.au/
>> >
>> >
>> >> From: coldbox@googlegroups.com
[mailto:coldbox@googlegroups.com]
>> On
>> >> Behalf Of Aaron Greenlee
>> >> Sent: Thursday, 12 August 2010 1:33 AM
>> >> To: ColdBox Platform
>> >> Subject: [coldbox:5194] Blogged: ColdFusion, ColdBox and ORM: Data
>> >> Security
>> >>
>> >> I just blogged a quick tip on preventing users from manipulating
>> >> your ORM application with ColdBox.
>> >>
>> >> You can read about it here:
>> >> coldbox-coldfusion-orm-data-securit - Aaron Greenlee's Notes
>> >> y/
>> >>
>> >> Hopefully, everyone is already doing this. If not, take a moment
>> >> to lock
>> > down
>> >> your app. ColdBox makes this so easy there is no reason not to do

so!

Any chance you can share that wrapper in here today? I am really curious how this works in ColdBox as there absolutely no examples on this for ColdBox at the moment.

Regards,

Andrew Scott

http://www.andyscott.id.au/

I've updated the post to include the BaseObject that User extends (in
production) and the ValidationService (which requires the object that
it is validating has the "error methods".

http://aarongreenlee.com/share/coldbox-coldfusion-orm-data-security/

Cheers for that Aaron, but I sort of worked it out a little differently to
you.

I will also point out that there is a var scope issue there, and as that
service is a singleton I hope that is only an example you provided.

On another note, I want to let people also know that they could have done
this.

ValidationService.cfc

component extends="coldbox.system.orm.hibernate.hyrule.Validator" {

public boolean function validate(required any Object, string include, string
exclude) {
  Object.clearErrors();

  var errors = super.validate(Object);
}

And the init function would not be necessary either.

As it will do the same thing. Hope this helps others out as well. Thanks
Aaron for sharing.

Regards,
Andrew Scott
http://www.andyscott.id.au/

From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Aaron Greenlee
Sent: Thursday, 12 August 2010 5:37 AM
To: ColdBox Platform
Subject: [coldbox:5212] Re: Blogged: ColdFusion, ColdBox and ORM: Data
Security

I've updated the post to include the BaseObject that User extends (in
production) and the ValidationService (which requires the object that it

is

Thanks. Fixed my var issue. I messed it up when porting it for the Blog.

I’m going to use your recommendation to extend Hyrule from ColdBox. When I started this a few months ago Hyrule was new on the block and not yet in ColdBox. I forgot I could simplify. I appreciate it.

That’s ok, I am having some issues with the super.validate(), if your sort it out before I do let me know.

Regards,

Andrew Scott

http://www.andyscott.id.au/

Ok, I thought I would share this with others. I am not sure if this is a Coldbox problem or not, but the following code will crash the ColdFusion service.

component extends=“coldbox.system.orm.hibernate.hyrule.Validator” singleton {

public boolean function validate(required any Object) {

var errors = super.validate(arguments.Object);

if(!errors.hasErrors())

return true;

return false;

}

}

Whereas this will actually work.

component singleton {

import coldbox.system.orm.hibernate.hyrule.Validator;

public boolean function validate(required any Object) {

var errors = new Validator().validate(arguments.Object);

if(!errors.hasErrors())

return true;

return false;

}

}

Can anyone confirm if this is a problem with ColdBox or maybe something that Hyrule doesn’t take into consideration?

Regards,

Andrew Scott

http://www.andyscott.id.au/

Aaron I have been playing around with this and can you answer a few
questions please.

In the user.cfc you have passwordPlain setter=false, which seems to make the
validation always fail. Have you experienced this in your travels before?

Regards,
Andrew Scott
http://www.andyscott.id.au/

From: coldbox@googlegroups.com [mailto:coldbox@googlegroups.com] On
Behalf Of Aaron Greenlee
Sent: Thursday, 12 August 2010 5:37 AM
To: ColdBox Platform
Subject: [coldbox:5212] Re: Blogged: ColdFusion, ColdBox and ORM: Data
Security

I've updated the post to include the BaseObject that User extends (in
production) and the ValidationService (which requires the object that it

is

Andrew, that is a mistake on my part.

I extracted the code from a production site and pulled a bunch of stuff out. PasswordPlain should have a setter. Sorry.

Thanks, Aaron I sort of went through all the code and figured that this was a mistake.

Regards,

Andrew Scott

http://www.andyscott.id.au/