My First ColdFusion Builder Extension - Encrypting And Decrypting CFM / CFC Files

Posted November 19, 2009 at 9:13 AM

Tags: ColdFusion

After watching Simon Free present on ColdFusion Builder Extensions at RIAUnleashed up in Boston, I felt inspired and wanted to come home and start playing around with my own little extensions (get your mind out of the gutter!). As a "hello world" type introduction to the ColdFusion Builder extension arena, I thought I would try and keep it as simple as possible, not dealing with any wizards or response modals; my first extensions - ColdFusion file encryption / decryption - simply sends off an action request to the extension handlers without waiting for any response or supplying one to the user.

The ColdFusion Builder extension installation process, menu configuration, and action handling is all defined within the ide_config.xml file that must be in the root of your extension archive (ZIP archive of your CFM files). Since my extension deals with the encryption and decryption of ColdFusion files, this configuration file only wires the extension up to the Project View and specifically to CFM and CFC files.

ide_config.xml

 Launch code in new window » Download code as text file »

When you set up the filters for your extension, there are two important caveats to know about: one, the regular expressions used in the filtering must match the entire file name, not just part of it (ie. not just the extension); and two, the regular expressions are case-sensitive by default - to make them case-INsensitive, you have to add the (?i) flag as the very first part of the pattern.

Each action (context menu item) in your extension is mapped to a handler, which is really just a ColdFusion file that ColdFusion Builder calls on your server. I created two handlers (ColdFusion files) - one for encryption and one for decryption.

NOTE: I have included an XML response in both of my handler files, but I have not been able to get them to work - they are supposed to refresh the project view after the new files have been created; I am including them in the following code samples in the hopes that someone will see something blatantly wrong and tell me how to fix it!

encrypt.cfm

 Launch code in new window » Download code as text file »

As you can see, this file is not doing much more than parsing the posted XML request and routing the resource file (the file the user selected when applying the extension) through the CFEncode.exe command line utility. The decryption functionality is almost identical, except that it uses the CFDecrypt.exe command line utility:

decrypt.cfm

 Launch code in new window » Download code as text file »

And that's all there is to it. Like I said above, I could not get the response XML to work and refresh the ColdFusion Builder project. When I log the response, here is what I get - hopefully someone will see what is going wrong here and help me out:

 Launch code in new window » Download code as text file »

I took this right out of the documentation and the ColdFusion Builder error log viewer doesn't tell me anything; in fact, the error log viewer in Builder seemed completely useless - it never held any errors related to my extensions. Anyway, if anyone sees something wrong with my response, please let me know.

So that's my "hello world" ColdFusion Builder extension. It took me a few hours to figure out a bunch of the little quirks, but once I got past that, this extensible functionality seems easy to create and potentially very powerful. One of the nicest things about it is that after the extension is installed, I can work directly on the installed ColdFusion files to update the extension functionality in real-time.

Download Code Snippet ZIP File

Post Comment  |  Ask Ben  |  Other Searches  |  Print Page

• Add To Del.icio.us
• Add To Digg
• Add to Spurl.net
• Add to Wists
• Add to Simpy
• Add to Newsvine
• Add to BlinkList
• Add to Furl
• Add to reddit
• Add to FARK
• Add to BlogMarks
• Add to Yahoo! My Web
• Add to smarking
• Add to Ma.gnolia
• Add to Segnalo

Reader Comments

Regarding XML callbacks. I don't think you need to convert them to binary. I use cfheader instead of cfcontent to push it as XML. Check the source of my translator extension to see it in code.
http://translator.riaforge.org/

@Terrence,

The conversion to binary is only so I can use the "Variable" attribute off of the CFContent tag (which will ensure that *only* the XML is returned and finalizes the response).

I'll take a look your translator, thanks!

@Ben,

I haven't tried working with this at all but here is something that came to mind.

Did you try using your variable you first create "thisDirectory" when you try to refresh the project?

such as

<param
key="projectname"
value="#thisDirectory#"
/>

After reading this I suspect many people didn't know the ability to encrypt and decrypt files exist. I wrote up a quick blog post about pros and cons of doing such. http://www.usefulconcept.com/index.cfm/2009/11/19/Encrypting-CFM-Files-with-CFencode

@Daniel,

The "thisDirectory" variable points to the current location of the extension code, not of the project. We have to get the project information from the posted XML file.

@Ben,

Ya I guess I should have looked over a little more detail, some reason I thought that was coming from the file being encrypted/decrypted.

@Daniel,

No worries - it was a good thought.

@Ben,

Have you tried refreshing the folder instead of the project?

@Daniel,

Hmmm, not sure if I tried that. I wonder how that works, since I believe in CF Builder, I might not be able to get the name of the folder form the path (as it might be a shared resource or the root of the project). I'll give it a try.

Is this the same thing or different than cfcompile? I never get an Allaire header when I use that, it's usually a max of 3 miscellaneous looking characters.

If it is the same, is there any real way to successfully physically protect your CFML source code when distributing it?

@Ben,

Because I am pedantic, I just want to make sure that everyone knows there is absolutely no encryption going on. There is only encoding and obfuscation. The cfencode tool only obfuscates your CF code, as stated on {http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity2.htm}.

Obfuscation merely prevents the casual person from reading your source code immediately. If someone hacked into your laptop, your version control master, or your web server to look at your source, you can bet your behind that he is perfectly able to read your obfuscated code.

But obfuscation typically has no security implications and cannot prevent anyone from understanding the file once he has access to it. Only encryption is capable of doing that, so long as a modern cryptosystem is chosen and the private keys remain safe.

The key difference is: with obfuscation, anyone with a little time and talent can easily understand and alter your source code. But modern a modern encryption algorithm, so long as it does not have gaping flaws, cannot be broken. "AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. A device that could check a billion billion (10^18) AES keys per second would require about 3×10^51 years to exhaust the 256-bit key space." {http://en.wikipedia.org/wiki/Brute_force_attack} All of the computing power in this world put together is not sufficient to check a billion billion keys per second. In other words, no matter how much time or energy or money you have, it is physically impossible to break something encrypted with AES-256 unless you already know the encryption key.

Cheers,
Justice

@Justice,

Good clarification; I was not exactly sure what the CFEncode.exe was doing. But, if the code is obfuscated, I wonder how ColdFusion knows to de-obfuscate it before compiling? Perhaps there are markers in the code that it checks for every time that it goes to compile?

@Ben,

I'm not sure exactly how cfencode works either. I can state for sure that, according to Adobe's docs, cfencode doesn't encrypt but only obfuscates.

The nice thing about obfuscated code is that, in most scenarios, it does not need to be "de-obfuscated." The obfuscated code can typically be run as-is, at least in the Java and .NET obfuscators I have seen, because the obfuscated code contains within it the code necessary to deobfuscate the rest of itself.

Note that 'jquery.min.js' is the obfuscated version of 'jquery.js' (minification is a form of obfuscation). Also, the 'jquery.packed.js' is also an obfuscated version of 'jquery.js'. Obviously, the files work exactly the same. But in the minified version, internal variables are renamed to something very short, because they are not part of the public API so the renames don't matter. In the packed version, there is a whole lot more going on in terms of obfuscation. In fact, in the packed version, the file contains the JavaScript code needed to unpack the rest of itself, so the browser doesn't have to do anything special - it just runs what it thinks is everyday run-of-the-mill JavaScript code.

Cheers,
Justice

@Justice,

The concept of something being able to unpack itself is pretty wild! I knew that was going on at some level, but never really thought about it conceptually. Pretty cool stuff!

Ha Ha -- You crack me up Ben.

Dangy! -- ha.

Great Post.

Post Comment  |  Ask Ben

Post A Comment

Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:	Formatting: <strong>bold</strong> <em>italic<em>
	Remember my information
	Subscribe to entry *
	Send me a copy of this comment (as part of the comment thread)

 

* If you subscribe, any new posts to this thread will be sent to your email address.