State of the Glue Q1 2010

This post will serve to update the membership on the doings and transpiring of the Model-Glue team.

Staff Changes

Dan Skaggs and Dennis Clark have joined to Model-Glue development team. Both guys have already made contributions to the framework and will be an important part of our upcoming releases.

Trac and Bug Clean up

Ezra Parker and Dennis Clark have been working very hard to get the Trac site up to date and reconfigured for better release management. Dennis has brought some really timely and good ideas to the table which will help us stay organized.

Documentation

We've worked pretty hard adding and filling out the Model-Glue Frequently Asked Questions. If you have a question or an answer that belongs here, let us know by either starting the question, and adding the answer if you know it (preferred), or sending it to the mailing list (less preferred but still appreciated)

Training

We've also worked pretty hard to get out a new training series to help with more advanced Model Glue topics. You can begin the self-led training series at your convenience

Instructor Led Training

In conjunction with CF.Objective(), the Model-Glue team is offering Rapid Development with Model-Glue 3 a full 2 days of hands on Model-Glue training. Classes are on April 20 - 21 in Minneapolis, MN. We'll accept the first 20 registrations, price: $800 for Early Rate, $900 Regular Rate. Register here or email the list if you have questions.

Upcoming 3.1.5 Maintenance Release

We've gotten a very good start on the 3.1.5 maintenance release. Here is a list of tickets that have been closed and are currently available in SVN:

Closed on 1/16/2010:

Closed on 1/15/2010:

Closed on 1/14/2010:

Below is a list of tickets we are probably going to close before the 3.1.5 release. If you want to express your interest in us closing a particular ticket, send us an email on the list.

If you know of a bug with Model-Glue 3.1 and want us to work on it, Submit a new ticket! Even if you've already reported it on the mailing list, please make sure there is a ticket in the system so we can prioritize it and schedule the fix.

New Online Model-Glue 3 Training Course

Happy Holidays from Model-Glue.

We've been hard at work building fun and exciting things for all of you. Our holiday gift to the Model-Glue community is a revamped Quickstart and a brand new online Hands On Model-Glue 3 Training course.

The training picks up after the Quickstart, so make sure you know all the material in the Quickstart before proceeding.

It is helpful to actually go through the exercises, preferably typing each line out yourself. This will build muscle memory and help you learn the Model-Glue framework quicker. You can't be a professional football player by just reading books about football, can you?

Let us know what you think about the training, we want feedback of all kinds.

Let us also know if you have an idea for a new training section, we'll see if we can get it together for you.

Should you wish to submit a new training section, we'll be happy to use it.

Should you wish for more in depth training, contact us via the contact form and we can work something out with your team.

The entire Model-Glue team wishes you much success and happiness in 2010!

"Come to the edge, he said. They said: We are afraid. Come to the edge, he said. They came. He pushed them and they flew." Guillaume Apollinaire quotes

MG 3.2 Feature Sneak Peak - CF9 ORM Scaffolding

If you've been working on ColdFusion 9 for any length of time, you know how much faster and featureful the release is.

CF9 introduces a new ORM, called Hibernate, that will help you make data centric operations in record time. Bob Silverberg and Dennis Clark have put together support for Model-Glue and the new CF9 Hibernate ORM. Now, you can use Generic Database Messages and Scaffolding with the shiny new CF9 software!

A version of this is in version control right now. We are doing some final testing over the next few weeks before we push this out in the upcoming version 3.2, and if you want to take it for a test drive, drop us a line (or a comment below) and let us know, we'll get you a sneak copy of the new release for a test drive.

New Model-Glue FAQ Available

We've been busy working on a Model-Glue FAQ Section, check it out. We have our first few pieces of content up there and it is organized by topical section.

Model-Glue is a community project and we need you to help us identify topics and provide answers. So feel free to suggest any questions you would like to see in the FAQ. If you feel comfortable, you can add it to the FAQ along with the answer, if not, ping the Model-Glue mailing list and we'll get right on it.

A big thanks to Ezra Parker for setting this up for us...

MG 3.2 Feature Sneak Peak - Input Sanitization

I wanted to get some information about the 3.2 release. Security is all the rage these days, what with all the Cross Site Scripting and SQL Injection attacks. As Model-Glue is your front controller, it would be the natural place to do some protection.

John Mason wrote Portcullis, a library that handles scanning for XSS, SQL Injection and other important security input scanning features. I've just implemented it in a branch of Model-Glue and I'm thinking through how best to make it configurable in your applications. First, let's talk about what Portcullis/MG does.

XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by site owner. ( http://en.wikipedia.org/wiki/Cross-site_scripting )

Example

Say I have code allowing someone to upload profile description. If the user adds an image tag with javascript inside,this javascript will be executed in the browser context of any person viewing the profile. You can see an example below.

This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.

In this case, an alert will pop up, but we really are executing java script and can use many different attack vectors. Portcullis will scan the input and sanitize this.

Form Text: This is my profile.. <IMG SRC=""javascript:alert('XSS');" />, isn't it nice.
Post Portcullis: This is my profile.. &lt;IMG SRC="[INVALID]alert&##40;&##39;XSS&##39;&##41;&##59;"&gt;, isn't it nice.

So, you can see, Portcullis detected some sketchy input, sanitized it, and now it is rendered harmless when displayed in the browser.

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.[1] ( http://en.wikipedia.org/wiki/Sql_injection )

Example

This is a common one, even gaining it's own comic (http://xkcd.com/327/). Basically, the attacker tries to shove in some SQL into an input. Portcullis scans and sanitizes these sorts of attacks also.

a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

In this case, the user has crafted a special string so that when the input value is used in an SQL statement, several statements are sent to the database.

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE 't' = 't';

When Portcullis gets something like this, it sanitizes the dangerous input.

a';[Invalid] TABLE users; [Invalid] * FROM data WHERE 't' = 't

None of this will execute in an SQL engine, because it is no longer valid SQL. It is best practice to use CFQueryparam to help prevent SQL Injection, but Portcullis can help out too. Especially in cases where CFQueryparam isn't consistently applied.

Summary

So you can see there is a lot of value in using something like Portcullis to consistently protect and sanitize your inputs. What I've done is incorporate the project into Model-Glue and make it easy to use. Basically, if you want to protect everything, then you should be able to flip a switch in your ColdSpring.xml file. This will be good for some sites, and help out in a big way. However, we want to make sure we are adding maximum value and giving you, the Model-Glue users, the ability to use this in a flexible, and useful manner.

I'd like to see discussion on how this feature might be used, how folks would want to use it and any gotchas or pitfalls that you can see. Please use the comments, or the MG Mailing List for your questions and concerns.

Model-Glue Training In Your Town

We've been knocking around the idea of a roving Model Glue training center. We've already done this in Claremont, CA to members of the Inland Empire ColdFusion User Group and folks got a lot out of it. That particular course was done over a single day, to prove out the material and to be useful to the IECFUG.

For the next phase, the vision would be to travel to an area and run a practical, intense training in OO and Model-Glue 3 over a weekend.

We want to take a shot out there and see which parts of the country were interested in being first in having this training. So if you think 4 - 8 people would be interested in hanging out for a weekend and learning some good OO and Model Glue stuff, leave a comment on this post.

We'll take a week or so to get a plan together and then follow back up with more details.

Free Model-Glue 3 Training

How much would you pay for Model-Glue training? What about Up To Date, State of the Art, Awesome Model-Glue training?

a) $3,000?

b) $5,000?

c) $10,000?

d) $1,000,000

(If you checked 'd', please call Dan Wilson. Immediately!)

For a limited time and with limited availability, you can have a whole day worth of timely and important Model-Glue 3 training for free. Yes, that is right, an entire day of Model-Glue 3 training, personally delivered for zero cost to you.

Team Model-Glue is delivering training at BFusion 09 this year and you are invited to take part. Come one, come all, the first 500 people get a free copy of Model-Glue 3. The authors will be there to individually sign each copy.

While we are joking about the million dollars (Editors Note: no, we aren't), we are serious about the free training. Sign up for BFusion today!

Ask Model-Glue: Beans Scope

John C. Bland just wrote in with a question on the Model-Glue mailing list asking about Event types. His code sample gave us an opportunity to share a new Model-Glue 3 feature. This information could be useful to others so let's eavesdrop on the conversation...

Hi , John, that looks pretty good. You are definitely on the right track with your event type work. Your question is actually a very timely one and gives us an opportunity to share a new feature of Model-Glue 3. Since you are interested in short cuts and in using MG3 most effectively, let's talk about the newly added Beans scope.

In your code sample, you defined a configuration bean in ColdSpring, always a good thing, and retrieved it from ColdSpring with the syntax getModelGlue().getBean("urlConfig").

Nothing is wrong with that syntax at all, and your code will work fine. However, there is an even easier way to get beans from ColdSpring. MG3 introduces the concept of the Beans scope that is not only easier, but it also leaves good documentation of your application as well.

Consider this code:

<cffunction name="SetPageConfigs" access="public" returntype="void" output="false">
    <cfset arguments.event.setValue("urlConfig", getModelGlue().getBean("urlConfig")) />
</cffunction>

The urlConfig object is retrieved from ColdSpring through the getModelGlue().getBean() declaration. What is nice about this is it makes accessing ColdSpring managed objects very easy. However, it sort of makes it difficult to find all the the Coldspring managed beans in a specific controller. Using Find tools to scan source code for references is not really the very best thing because other developer may have chosen a name that isn't obvious or has been abstracted for some reason. Model-Glue 3 introduces the notion of a 'beans' scope. The Beans scope is a controller-wide scope containing all the ColdSpring managed beans for a specific controller. Here is a short sample:

<cfcomponent extends="ModelGlue.gesture.controller.Controller" output="false"
            beans="urlConfig,UserService">


    <cffunction name="doSetUp" output="false" access="public" returntype="void" hint="I perform global setup stuff for each request">
        <cfargument name="event" type="any">
        <cfset arguments.event.setValue("urlConfig", beans.urlConfig ) />
    </cffunction>
...

See the beans attribute of the cfcomponent tag? This is a comma separated list of all the ColdSpring managed beans we need in this controller. Inside the doSetup() method, we use the prefix 'beans' to get at the specific object:

beans.xxxxx

One nice effect of this technique is less typing on the keyboard.

More importantly, we now have a bit of auto-documentation on exactly which ColdSpring managed beans are used by this controller. This documentation is at the very top of the file. Now, when you maintain your code, or code from other developers, you can simply read the beans attribute in your controller to find out which beans are in use, rather than scanning or reading lots of code for that information. Nice huh?

Model-Glue is all about building applications quicker and reducing maintenance costs and I'm sure you'll agree the Beans scope makes sense on both fronts.

Keep sniffing the 'Glue

Model Glue:Gesture - Version 3.1 Available

Model-Glue: Gesture Version 3.1 was released today. The 3.1 release is largely a maintenance release and fixes several issues:
  • Fixed issue where event types did not respect multiple XML blocks for requestformat functionality.
  • Added in try - catches around the file operations so that sandboxed servers will work, preventing sandbox security exceptions. Thanks Chris Blackwell
  • Seriously fixed http://docs.model-glue.com/ticket/349 this time. (Bug with SesUrlManager.cfc due to Apache and IIS reporting cgi params differently)
  • Removed potential recursion in helper loader functionality and also removed useless cfdump when a helper is attempted to be included but doesn't have a cfc or cfm extension. Thanks Ezra Parker

As always, the very latest is in SVN and the Model-Glue Website has been updated.

Model-Glue 3 Features Video

In early September, Model-Glue 3 made it's video debut on the ColdFusion Meetup. We discussed how to use the top features in Model-Glue 3 to build out an application.

It was a lot to cram into an hour, but since it is video, you can stop the screen to read the code on your leisure. A big thanks to Charlie Arehart for continuing the very popular CFMeetup, the only user group with 20,000 members.

Watch Model-Glue 3 for fun and profit.

More Entries

© 2017 Joe Rinehart
BlogCFC was created by Raymond Camden. This blog is running version 5.9.3.006.