One of the nice side effects to installing the latest ColdFusion security hotfix is that ColdFusion 8 and ColdFusion 9 now both include the jar files for the OWASP ESAPI or Enterprise Security API.
This means that it?s now very very easy to leverage this powerful security API from within your ColdFusion code.
Here?s a quick example of how you might use the ESAPI encoder to prevent cross site scripting:
<cfset esapi = CreateObject("java", "org.owasp.esapi.ESAPI")>
<cfset esapiEncoder = esapi.encoder()>
<cfoutput><p>Hello #esapiEncoder.encodeForHTML(url.name)#</p></cfoutput>
The Encoder class has methods for encoding all kinds of input so they can be safely used in various contexts. Here?s a listing some handy encoders:
- encodeForHTMLAttribute - used for encoding a string inside of a HTML attribute.
- encodeForURL - used for encoding inside of a url, eg: in a href
- encodeForJavaScript - used for an input inside a javascript variable or in a function argument.
- encodeForCSS - used for encoding variable inside of CSS (eg inline style attributes)
- encodeForXML - encoding variables inside XML
- encodeForXPath - encode variables in an XPath query
What else can ESAPI do?
ESAPI also provides helpers for Validation, Encryption, Logging, Randomization, and more. Checkout the docs to see what it can do.
ESAPI Java Classes
- org.owasp.esapi.ESAPI - The ESAPI Locator Class is used to get the implementation of the validator, encoder, etc.
- org.owasp.esapi.Encoder - The ESAPI Encoder
Comments
It looks like Adobe didn't include all of the required ESAPI dependencies, so while the Encoder seems to work you will need to test other interface methods to make sure they work. For example, the NekoHTML library is missing which means some of the Validator methods will not work.
I guess I should have qualified my previous comment as applying to CF801. It looks like CF9, or at least CF901, does include NekoHTML. It is also worth noting that the CF8 and CF9 updates include different versions of the ESAPI.
@Nathan - Yes I was aware of that. Actually it looks like CF9 doesn't have AntiSamy jars but CF8 does... I was planning on figuring this stuff out (which dependencies are missing) and then doing another blog entry on that.
Pete - in the interest of learning more about where important files are - what is the location for this class on a CF server? I see the ESAPIutils in the latest hotfix JAR, but once installed, where do they end up?
@Michael - Most jar files used by ColdFusion internally will end up in the lib directory, if you look at the hotfix under the lib directory it has you place esapi-2.0_rc10.jar (for CF9) in there. The lib directory is located under your ColdFusion root, or in /WEB-INF/cfusion/lib on j2ee installs. The ESAPIUtils is simply a class file contained within the hotfix jar, this is a utility class that the ColdFusion engineers must have created to work with ESAPI internally.
Lately we had problems to access the CF admin. The index page would always throw an ESAPI related error. It said: "Object instantiation exception. An exception occurred while instantiating a Java object. The class must not be an interface or an abstract class. Error: org/owasp/esapi/errors/EncodingException. The specific sequence of files included or processed is: Path_to_CFIDE\administrator\index.cfm, line: 69" All other applications were still running without a problem, it was just the CF admin which was unaccessible. Finally we made a backup of the CFIDE directory and replaced it with the one of another instance. I know, it's not the best way to go, but, it solved the ESAPI problem. ;-) Do you guys have any idea what may have caused the problem? I'd much rather have a proper way of dealing with this.
@Chris - Yes that error means that the security hotfix was not applied properly. It could be because you tried applying the 9.0.1 hotfix to 9.0, or just missed a step.
@Pete - Thanks, I'll forward this to the server administrator. Hopefully this time all patches will be applied in the correctorder. ;-)
@Max - Yes that is correct, the ESAPI jars appear to be used in the ColdFusion administrator and other places within ColdFusion. There is also no guarantee that these jars will be there in future versions. That's a point I probably should have made in the blog entry, thanks for pointing it out!
@Max that's true you could run into some issues there, but a way around that is to use something like JavaLoader.
Everything is running great with the encoder However is anyone running to this situation with antiSamy: I am guessing a dependency is missing? Code: <cfset var policyfile = expandPath("/includes/antisamy/antisamy-ebay-1.4.4.xml")> <cfset var antiSamy = createObject("java","org.owasp.validator.html.AntiSamy")> <Cfset antiSamy.scan("this is a string",policyfile).getCleanHTML()> Causes an error :org/cyberneko/html/parsers/DOMFragmentParser Detail: java.lang.NoClassDefFoundError: org/cyberneko/html/parsers/DOMFragmentParser at org.owasp.validator.html.scan.AntiSamyDOMScanner.scan(AntiSamyDOMScanner.java:166) at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:89) at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:105) at sun.reflect.GeneratedMethodAccessor107.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:99) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2272) at cfsecurity2ecfc1516477374$funcCLEANHTML.runFunction(D:\inetpub\web_sites\web\RD\RC\Web\includes\cfcs\security.cfc:83) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418) at coldfusion.filter.SilentFilter.invoke(SilentFilter.java:47) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:360) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:59) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:192) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:448) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:308) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2272) at cftest2ecfm2013895906.runPage(D:\inetpub\web_sites\web\RD\RC\Web\test.cfm:18) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:282) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:27) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:74) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.CfmServlet.service(CfmServlet.java:198) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
@George The AntiSamy jar was only included in CF8 security hotfixes, it's also worth noting that CF8 and CF9 use different versions of ESAPI. The other dependencies for AntiSamy are: batik-css.jar, batick-ext.jar, batik-util.jar, nekohtml.jar and xercesImpl.jar checkout this blog entry for some more details on AntiSamy: http://www.petefreitag.com/item/760.cfm
@Peter Thanks for the Quick reply and the great presentation. I pulled the ESAPI and from the CF security patch and anded the jar files antisamy-1.3-20091014.183120-2.jar and ESAPI-1.4.4.jar to my CFLib. Part of me was thinking thats all i should need. So you are say that we should still add the dependencies from your 760.cfm article to use the method: ESAPI.validatior().isValidSafeHTML(htmlContent) BTW sorry there was a typo <Cfset antiSamy.scan("this is a string",policyfile).getCleanHTML()> is <Cfset antiSamy.scan("this is a string",policyfile)>
@George, correct you will need to add some more jars to your classpath to get the isValidSafeHTML method to work.