ColdFusion's Builtin Enterprise Security API

coldfusion

One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.

This means that it’s now very very easy to leverage this powerful security API from within your ColdFusion code.

Here’s a quick example of how you might use the ESAPI encoder to prevent cross site scripting:

<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI")>
<cfset esapiEncoder = esapi.encoder()>
<cfoutput><p>Hello #esapiEncoder.encodeForHTML(url.name)#</p></cfoutput>

The Encoder class has methods for encoding all kinds of input so they can be safely used in various contexts. Here’s a listing some handy encoders:

  • encodeForHTMLAttribute - used for encoding a string inside of a HTML attribute.
  • encodeForURL - used for encoding inside of a url, eg: in a href
  • encodeForJavaScript - used for an input inside a javascript variable or in a function argument.
  • encodeForCSS - used for encoding variable inside of CSS (eg inline style attributes)
  • encodeForXML - encoding variables inside XML
  • encodeForXPath - encode variables in an XPath query

What else can ESAPI do?

ESAPI also provides helpers for Validation, Encryption, Logging, Randomization, and more. Checkout the docs to see what it can do.

ESAPI Java Documentation

  • ESAPI - The ESAPI Locator Class is used to get the implementation of the validator, encoder, etc.
  • Encoder - The ESAPI Encoder java docs


Related Entries

This entry was:

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 788/F96285E4380043A9C863F4FD68036874

Comments

On 03/17/2011 at 4:47:33 PM UTC Nathan Mische wrote:
1
It looks like Adobe didn't include all of the required ESAPI dependencies, so while the Encoder seems to work you will need to test other interface methods to make sure they work. For example, the NekoHTML library is missing which means some of the Validator methods will not work.

On 03/17/2011 at 4:54:15 PM UTC Nathan Mische wrote:
2
I guess I should have qualified my previous comment as applying to CF801. It looks like CF9, or at least CF901, does include NekoHTML. It is also worth noting that the CF8 and CF9 updates include different versions of the ESAPI.

On 03/17/2011 at 5:04:28 PM UTC Pete Freitag wrote:
3
@Nathan - Yes I was aware of that. Actually it looks like CF9 doesn't have AntiSamy jars but CF8 does... I was planning on figuring this stuff out (which dependencies are missing) and then doing another blog entry on that.

On 03/18/2011 at 11:03:46 AM UTC Michael wrote:
4
Pete - in the interest of learning more about where important files are - what is the location for this class on a CF server? I see the ESAPIutils in the latest hotfix JAR, but once installed, where do they end up?

On 03/18/2011 at 3:35:51 PM UTC Pete Freitag wrote:
5
@Michael - Most jar files used by ColdFusion internally will end up in the lib directory, if you look at the hotfix under the lib directory it has you place esapi-2.0_rc10.jar (for CF9) in there. The lib directory is located under your ColdFusion root, or in /WEB-INF/cfusion/lib on j2ee installs.

The ESAPIUtils is simply a class file contained within the hotfix jar, this is a utility class that the ColdFusion engineers must have created to work with ESAPI internally.

On 03/21/2011 at 5:58:21 AM UTC Chris wrote:
6
Lately we had problems to access the CF admin. The index page would always throw an ESAPI related error. It said: "Object instantiation exception. An exception occurred while instantiating a Java object. The class must not be an interface or an abstract class. Error: org/owasp/esapi/errors/EncodingException. The specific sequence of files included or processed is: Path_to_CFIDE\administrator\index.cfm, line: 69"

All other applications were still running without a problem, it was just the CF admin which was unaccessible. Finally we made a backup of the CFIDE directory and replaced it with the one of another instance. I know, it's not the best way to go, but, it solved the ESAPI problem. ;-)

Do you guys have any idea what may have caused the problem? I'd much rather have a proper way of dealing with this.

On 03/25/2011 at 3:02:38 PM UTC Pete Freitag wrote:
7
@Chris - Yes that error means that the security hotfix was not applied properly. It could be because you tried applying the 9.0.1 hotfix to 9.0, or just missed a step.

On 03/29/2011 at 4:17:44 AM UTC Chris wrote:
8
@Pete - Thanks, I'll forward this to the server administrator. Hopefully this time all patches will be applied in the correctorder. ;-)

On 04/05/2011 at 10:00:27 PM UTC Max Spicer wrote:
9
Am I right in thinking that Adobe have only included ESAPI because they're now using it in the Administrator? If this is the case, then I'd be a bit nervous about relying on it always being around. Especially given that Adobe don't appear to have bundled all the expected dependencies, wouldn't sites be better off manually downloading the ESAPI libs and including them in ColdFusion's default classpath? True, this would require an administrator to keep things up to date, but then what guarantee is there that Adobe will be updating the bundled ESAPI libs anyway?

Of course, what we really want is new built in functions that call through to ESAPI. One for CFX maybe?

On 04/05/2011 at 10:02:26 PM UTC Pete Freitag wrote:
10
@Max - Yes that is correct, the ESAPI jars appear to be used in the ColdFusion administrator and other places within ColdFusion. There is also no guarantee that these jars will be there in future versions.

That's a point I probably should have made in the blog entry, thanks for pointing it out!

On 04/06/2011 at 4:52:20 AM UTC Max wrote:
11
Thinking about it a bit more, I'm not sure how people could go about installing their own version of ESAPI. Now that Adobe have included a version in ColdFusion's lib dir, you'd have to specifically replace this version or ensure you install a version in a location that comes first in the Java classpath. This local version would then replace that used by the Administrator, which could potentially cause issues (especially if you wanted to use ESAPI 2.0 locally?).

All in all, it may have been better if Adobe had renamed the ESAPI packages so as not to affect non-internal usage.

On 04/06/2011 at 11:35:08 AM UTC Pete Freitag wrote:
12
@Max that's true you could run into some issues there, but a way around that is to use something like JavaLoader.

On 04/07/2011 at 1:54:34 PM UTC Knut wrote:
13
Hi,

I have a question concerning ESAPI. I can not find anything in the web about my problem.

I'm using ColdFusion 8.0.1 Enterprise (Multi server installation) running unser Linux. I've updated my to the last security hotfixes.

Now I'm getting an error "esapi.log" error when starting the servers.

Can anyone tell me, where (in what path) ESAPI tries to write/read the "esapi.log" file ???

Error message: -------------- log4j:ERROR setFile(null,true) call failed. java.io.FileNotFoundException: esapi.log (Permission denied) at java.io.FileOutputStream.openAppend(Native Method) at java.io.FileOutputStream.<init>(Unknown Source) at java.io.FileOutputStream.<init>(Unknown Source) at org.apache.log4j.FileAppender.setFile(FileAppender.java:272) at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:151) at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:247) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:123) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:87) at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:645) at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:603) at org.apache.log4j.PropertyConfigurator.parseCatsAndRenderers(PropertyConfigurator.java:524) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:408) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:432) at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:460) at org.apache.log4j.LogManager.<clinit>(LogManager.java:145) at org.apache.log4j.Category.getInstance(Category.java:530) at org.apache.commons.logging.impl.Log4jFactory.getInstance(Log4jFactory.java:140) at org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:257) at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:390) at com.opensymphony.oscache.base.AbstractCacheAdministrator.<clinit>(AbstractCacheAdministrator.java:34) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at flex.server.j2ee.cache.CacheFilter.class$(CacheFilter.java:53) at flex.server.j2ee.cache.CacheFilter.<clinit>(CacheFilter.java:63) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at java.lang.Class.newInstance0(Unknown Source) at java.lang.Class.newInstance(Unknown Source) at coldfusion.bootstrap.ClassloaderHelper.initFilterClass(ClassloaderHelper.java:123) at coldfusion.bootstrap.BootstrapFilter.init(BootstrapFilter.java:34) at jrun.servlet.FilterObject.init(FilterObject.java:63) at jrun.servlet.FilterManager.loadFilter(FilterManager.java:220) at jrun.servlet.FilterManager.init(FilterManager.java:158) at jrun.servlet.FilterManager.create(FilterManager.java:75) at jrun.servlet.WebApplicationService.start(WebApplicationService.java:227) at jrun.ea.EnterpriseApplication.start(EnterpriseApplication.java:194) at jrun.deployment.DeployerService.initModules(DeployerService.java:708) at jrun.deployment.DeployerService.createWatchedDeployment(DeployerService.java:243) at jrun.deployment.DeployerService.deploy(DeployerService.java:428) at jrun.deployment.DeployerService.checkWatchedDirectories(DeployerService.java:179) at jrun.deployment.DeployerService.run(DeployerService.java:889) at jrunx.scheduler.SchedulerService.invokeRunnable(SchedulerService.java:230) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

I hope that somebody can help me.

Regards .. Knut

On 04/07/2011 at 3:35:56 PM UTC Knut wrote:
14
OK - I've found the solution myself :-) Under Linux I just had to add the complete path to the "esapi.log" file in the "log4j.proerties" file of each server.

On 05/19/2011 at 2:37:54 PM UTC George Schaffer wrote:
15
Everything is running great with the encoder However is anyone running to this situation with antiSamy:

I am guessing a dependency is missing? Code:

<cfset var policyfile = expandPath("/includes/antisamy/antisamy-ebay-1.4.4.xml")>

<cfset var antiSamy = createObject("java","org.owasp.validator.html.AntiSamy")>

<Cfset antiSamy.scan("this is a string",policyfile).getCleanHTML()>

Causes an error :org/cyberneko/html/parsers/DOMFragmentParser Detail: java.lang.NoClassDefFoundError: org/cyberneko/html/parsers/DOMFragmentParser at org.owasp.validator.html.scan.AntiSamyDOMScanner.scan(AntiSamyDOMScanner.java:166) at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:89) at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:105) at sun.reflect.GeneratedMethodAccessor107.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:99) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2272) at cfsecurity2ecfc1516477374$funcCLEANHTML.runFunction(D:\inetpub\web_sites\web\RD\RC\Web\includes\cfcs\security.cfc:83) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418) at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:360) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:59) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:192) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:448) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:308) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2272) at cftest2ecfm2013895906.runPage(D:\inetpub\web_sites\web\RD\RC\Web\test.cfm:18) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:282) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:27) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.CfmServlet.service(CfmServlet.java:198) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

On 05/19/2011 at 2:45:11 PM UTC Pete Freitag wrote:
16
@George The AntiSamy jar was only included in CF8 security hotfixes, it's also worth noting that CF8 and CF9 use different versions of ESAPI.

The other dependencies for AntiSamy are: batik-css.jar, batick-ext.jar, batik-util.jar, nekohtml.jar and xercesImpl.jar checkout this blog entry for some more details on AntiSamy: http://www.petefreitag.com/item/760.cfm

On 05/19/2011 at 3:10:48 PM UTC George M Schaffer wrote:
17
@Peter Thanks for the Quick reply and the great presentation.

I pulled the ESAPI and from the CF security patch and anded the jar files antisamy-1.3-20091014.183120-2.jar and ESAPI-1.4.4.jar to my CFLib.

Part of me was thinking thats all i should need.

So you are say that we should still add the dependencies from your 760.cfm article to use the method: ESAPI.validatior().isValidSafeHTML(htmlContent)

BTW sorry there was a typo <Cfset antiSamy.scan("this is a string",policyfile).getCleanHTML()>

is

<Cfset antiSamy.scan("this is a string",policyfile)>

On 05/19/2011 at 4:25:49 PM UTC Pete Freitag wrote:
18
@George, correct you will need to add some more jars to your classpath to get the isValidSafeHTML method to work.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?