I wanted to get some information about the 3.2 release. Security is all the rage these days, what with all the Cross Site Scripting and SQL Injection attacks. As Model-Glue is your front controller, it would be the natural place to do some protection.
John Mason wrote Portcullis, a library that handles scanning for XSS, SQL Injection and other important security input scanning features. I've just implemented it in a branch of Model-Glue and I'm thinking through how best to make it configurable in your applications. First, let's talk about what Portcullis/MG does.
XSSCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by site owner. ( http://en.wikipedia.org/wiki/Cross-site_scripting )
In this case, an alert will pop up, but we really are executing java script and can use many different attack vectors. Portcullis will scan the input and sanitize this.
Post Portcullis: This is my profile.. <IMG SRC="[INVALID]alert#40;#39;XSS#39;#41;#59;">, isn't it nice.
So, you can see, Portcullis detected some sketchy input, sanitized it, and now it is rendered harmless when displayed in the browser.
SQL InjectionSQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks. ( http://en.wikipedia.org/wiki/Sql_injection )
ExampleThis is a common one, even gaining it's own comic (http://xkcd.com/327/). Basically, the attacker tries to shove in some SQL into an input. Portcullis scans and sanitizes these sorts of attacks also.
a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't
In this case, the user has crafted a special string so that when the input value is used in an SQL statement, several statements are sent to the database.
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE 't' = 't';
When Portcullis gets something like this, it sanitizes the dangerous input.
a';[Invalid] TABLE users; [Invalid] * FROM data WHERE 't' = 't
None of this will execute in an SQL engine, because it is no longer valid SQL. It is best practice to use CFQueryparam to help prevent SQL Injection, but Portcullis can help out too. Especially in cases where CFQueryparam isn't consistently applied.
SummarySo you can see there is a lot of value in using something like Portcullis to consistently protect and sanitize your inputs. What I've done is incorporate the project into Model-Glue and make it easy to use. Basically, if you want to protect everything, then you should be able to flip a switch in your ColdSpring.xml file. This will be good for some sites, and help out in a big way. However, we want to make sure we are adding maximum value and giving you, the Model-Glue users, the ability to use this in a flexible, and useful manner.
I'd like to see discussion on how this feature might be used, how folks would want to use it and any gotchas or pitfalls that you can see. Please use the comments, or the MG Mailing List for your questions and concerns.