MG 3.2 Feature Sneak Peak - CF9 ORM Scaffolding

If you've been working on ColdFusion 9 for any length of time, you know how much faster and featureful the release is.

CF9 introduces a new ORM, called Hibernate, that will help you make data centric operations in record time. Bob Silverberg and Dennis Clark have put together support for Model-Glue and the new CF9 Hibernate ORM. Now, you can use Generic Database Messages and Scaffolding with the shiny new CF9 software!

A version of this is in version control right now. We are doing some final testing over the next few weeks before we push this out in the upcoming version 3.2, and if you want to take it for a test drive, drop us a line (or a comment below) and let us know, we'll get you a sneak copy of the new release for a test drive.

New Model-Glue FAQ Available

We've been busy working on a Model-Glue FAQ Section, check it out. We have our first few pieces of content up there and it is organized by topical section.

Model-Glue is a community project and we need you to help us identify topics and provide answers. So feel free to suggest any questions you would like to see in the FAQ. If you feel comfortable, you can add it to the FAQ along with the answer, if not, ping the Model-Glue mailing list and we'll get right on it.

A big thanks to Ezra Parker for setting this up for us...

MG 3.2 Feature Sneak Peak - Input Sanitization

I wanted to get some information about the 3.2 release. Security is all the rage these days, what with all the Cross Site Scripting and SQL Injection attacks. As Model-Glue is your front controller, it would be the natural place to do some protection.

John Mason wrote Portcullis, a library that handles scanning for XSS, SQL Injection and other important security input scanning features. I've just implemented it in a branch of Model-Glue and I'm thinking through how best to make it configurable in your applications. First, let's talk about what Portcullis/MG does.

XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by site owner. ( http://en.wikipedia.org/wiki/Cross-site_scripting )

Example

Say I have code allowing someone to upload profile description. If the user adds an image tag with javascript inside,this javascript will be executed in the browser context of any person viewing the profile. You can see an example below.

This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.

In this case, an alert will pop up, but we really are executing java script and can use many different attack vectors. Portcullis will scan the input and sanitize this.

Form Text: This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.
Post Portcullis: This is my profile.. &lt;IMG SRC="[INVALID]alert&##40;&##39;XSS&##39;&##41;&##59;"&gt;, isn't it nice.

So, you can see, Portcullis detected some sketchy input, sanitized it, and now it is rendered harmless when displayed in the browser.

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.[1] ( http://en.wikipedia.org/wiki/Sql_injection )

Example

This is a common one, even gaining it's own comic (http://xkcd.com/327/). Basically, the attacker tries to shove in some SQL into an input. Portcullis scans and sanitizes these sorts of attacks also.

a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

In this case, the user has crafted a special string so that when the input value is used in an SQL statement, several statements are sent to the database.

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE 't' = 't';

When Portcullis gets something like this, it sanitizes the dangerous input.

a';[Invalid] TABLE users; [Invalid] * FROM data WHERE 't' = 't

None of this will execute in an SQL engine, because it is no longer valid SQL. It is best practice to use CFQueryparam to help prevent SQL Injection, but Portcullis can help out too. Especially in cases where CFQueryparam isn't consistently applied.

Summary

So you can see there is a lot of value in using something like Portcullis to consistently protect and sanitize your inputs. What I've done is incorporate the project into Model-Glue and make it easy to use. Basically, if you want to protect everything, then you should be able to flip a switch in your ColdSpring.xml file. This will be good for some sites, and help out in a big way. However, we want to make sure we are adding maximum value and giving you, the Model-Glue users, the ability to use this in a flexible, and useful manner.

I'd like to see discussion on how this feature might be used, how folks would want to use it and any gotchas or pitfalls that you can see. Please use the comments, or the MG Mailing List for your questions and concerns.

Free Model-Glue 3 Training

How much would you pay for Model-Glue training? What about Up To Date, State of the Art, Awesome Model-Glue training?

a) $3,000?

b) $5,000?

c) $10,000?

d) $1,000,000

(If you checked 'd', please call Dan Wilson. Immediately!)

For a limited time and with limited availability, you can have a whole day worth of timely and important Model-Glue 3 training for free. Yes, that is right, an entire day of Model-Glue 3 training, personally delivered for zero cost to you.

Team Model-Glue is delivering training at BFusion 09 this year and you are invited to take part. Come one, come all, the first 500 people get a free copy of Model-Glue 3. The authors will be there to individually sign each copy.

While we are joking about the million dollars (Editors Note: no, we aren't), we are serious about the free training. Sign up for BFusion today!

Model Glue:Gesture - Version 3.1 Available

Model-Glue: Gesture Version 3.1 was released today. The 3.1 release is largely a maintenance release and fixes several issues:
  • Fixed issue where event types did not respect multiple XML blocks for requestformat functionality.
  • Added in try - catches around the file operations so that sandboxed servers will work, preventing sandbox security exceptions. Thanks Chris Blackwell
  • Seriously fixed http://docs.model-glue.com/ticket/349 this time. (Bug with SesUrlManager.cfc due to Apache and IIS reporting cgi params differently)
  • Removed potential recursion in helper loader functionality and also removed useless cfdump when a helper is attempted to be included but doesn't have a cfc or cfm extension. Thanks Ezra Parker

As always, the very latest is in SVN and the Model-Glue Website has been updated.

Model-Glue 3 Features Video

In early September, Model-Glue 3 made it's video debut on the ColdFusion Meetup. We discussed how to use the top features in Model-Glue 3 to build out an application.

It was a lot to cram into an hour, but since it is video, you can stop the screen to read the code on your leisure. A big thanks to Charlie Arehart for continuing the very popular CFMeetup, the only user group with 20,000 members.

Watch Model-Glue 3 for fun and profit.

Dan Wilson takes over the Model-Glue Framework

Hi everybody,

For the past five years (or so), I've been in charge of the Model-Glue framework. I've hit a standstill in my ability to progress or even maintain the code or the community: my professional work focuses more and more on RIA and J2EE technologies outside of ColdFusion and CFML (although MG + CFML is still my preference for creating HTML sites!).

After working with him and discussing the idea since MAX 2008, I've come to the decision to hand over control of the project and title of "Model-Glue's Benevolent Dictator" to Dan Wilson, a fellow North Carolinian, MG user, and all around great guy. He's been patching and helping MG3 out for about 6 months, and he's accepted a role as the leader of the framework.

Doug Hughes, president of Alagad, Inc. will be working with Dan as a temporary co-leader to help get things ramped up.

Dan's immediate goals (set by him, because he's now in charge!) include:

  • Getting MG3 ready for release at cf.Objective() 2009
  • Moving the Model-Glue site, documentation, and subversion repositories to servers at Alagad

Details of the change:

  • "Team Model-Glue" members (including myself) are now considered an advisory board. We'll help in whatever capacity we're able to, and Dan doesn't answer to us in any way. It's his show, and I have good faith in his decisions.
  • Alagad, Inc. will be providing code and documentation support to get MG3 out the door. This is a huge gift from Alagad to the MG community, and we thank them greatly for it!
  • Model-Glue's licensure will remain the same (ASL 2), but the copyright will change. To ensure that the framework remains community (and not corporate) property, any contributor will be granted credit in the copyright. This will immediately make Model-Glue "Copyright 2009, Raymond Camden, Sean Corfield, Raymond Camden, Doug Hughes, Joe Rinehart, Jared Rypka-Hauer, Chris Scott, Dan Wilson." This is a purposeful move: having this many people with ownership makes it damn near impossible to sell the IP rights to the framework. Unless, that is, some company would like to make an very generous cash offer to each of the contributors ;).

That's all. I've enjoyed working on Model-Glue, but it's obvious I'm just not the guy for it any longer. My open source time will be spent more on the Flex / Java side: I've contributed into the Swiz framework, and I'm working on a Hibernate-fueled data services framework code-named "RedShift" that should simulate the data synchronization bits that are part of LiveCycle Data Services via anything that can subscribe to a JMS bus (like a Flex app!).

On Model-Glue and CodexWiki

On the Model-Glue project, we're working through a number of issues on our upcoming Model-Glue:Gesture release. One hot topic is how to handle documentation. At some point, Codex Wiki was raised. Codex Wiki, as you know, is Wiki Software built using the ColdBox and Transfer Frameworks. The question was raised whether we would use it because it was written in ColdBox, or whether we should develop a Model-Glue version of Wiki Software.

From the start, I'm going to say we aren't ready to make any decisions on documentation implementation. The direction we go largely depends on the critical path issues to get us there and the resources we can put to the task. Our internal time line is tight so we've got to look at all the elements in the equation before finalizing documentation implementation.

That said, I want to make a few public statements to the community at large. There is no question about my commitment to the Model-Glue project, of course, but did you know I'm also a fan of ColdBox? I've got healthy respect for the very impressive ColdBox framework and even more respect for Luis Majano personally, whom I consider a friend. Luis is one of the most decent human beings out on the planet and he has put an almost super human effort into building and maintaining his framework ecosystem. He helped raise the bar for CF Frameworks.

I'm actually a big fan of Mach-II, believe it or not. I've personally contributed some minor bits and pieces here and there to Mach-II and I've been happy to do it. I've also put significant applications into production powered by Mach-II. Mach-II is a quality project run by very smart and dedicated people who have done an admirable job developing a quality framework with good features, a responsive, dedicated community and some of the sexiest Mach-II shirts in town! (I want one)

Did you know TACFUG, the User Group I run along with Jim Priest, uses Mach-II to power our most excellent User Group Website? (CHUG). Check it out: http://tacfug.org

Codex Wiki is great software and if it works out for us, we'll use it. I'm not going to burst into flame, just because it is written using the ColdBox framework. Should we need to add features, we'll build them and contribute back to the project even if it means I've got to learn ColdBox to do it.

In closing, I'm all for friendly rivalries, but we gain nothing by throwing rocks, being divisive or fragmenting effort by unnecessarily duplicating projects. The ColdFusion framework community stands to gain most by collaborating and providing a quality set of Open Source frameworks and Tools to the community and engaging the ColdFusion community to further embrace mature development standards and techniques. Consider Model-Glue a willing partner with those sharing our philosophy.

Model-Glue Welcomes Dan Wilson

This post is awfully belated: I'm happy to welcome Dan Wilson as a member to the Model-Glue project.

He's helping out with bug fixes, administering the AboutWeb-provided server that runs the new bug tracking site (and eventually docs / wiki), and writing blog entries for Model-Glue.com.

Welcome aboard, Dan!

Update on ModelGlue:3 Gesture

Version 3 of the Model-Glue framework is under development right now. Here is an update on where we stand...

Issue Tracker

Reporting bugs/enhancement requests for Model-Glue just got easier. We now have a fully licensed JIRA issue tracker. This will help us stay on top of bugs, features and such. A special thanks to the fine folks at Atlassian for making licenses available to the Model-Glue project at no charge.

Load Testing

I've been load testing a MG:3 application pretty heavily for the last couple of weeks. The framework holds up extremely well to load and shows no memory leakage or other misbehavior.

Fixed Bugs

The bug count has been reduced by 50%. Keep logging and reporting issues!

Want to try Model-Glue:3?

The framework still has an Alpha label for now and while we have a pretty active group of folks using the MG:3 alpha, others are still welcome. Download the latest framework code from http://svn.firemoss.com/modelglue/trunk/ModelGlue and tell us what you think.

More Entries

© 2017 Joe Rinehart
BlogCFC was created by Raymond Camden. This blog is running version 5.9.3.006.