My First ColdFusion Builder Extension - Encrypting And Decrypting CFM / CFC Files
After watching Simon Free present on ColdFusion Builder Extensions at RIAUnleashed up in Boston, I felt inspired and wanted to come home and start playing around with my own little extensions (get your mind out of the gutter!). As a "hello world" type introduction to the ColdFusion Builder extension arena, I thought I would try and keep it as simple as possible, not dealing with any wizards or response modals; my first extensions - ColdFusion file encryption / decryption - simply sends off an action request to the extension handlers without waiting for any response or supplying one to the user.
The ColdFusion Builder extension installation process, menu configuration, and action handling is all defined within the ide_config.xml file that must be in the root of your extension archive (ZIP archive of your CFM files). Since my extension deals with the encryption and decryption of ColdFusion files, this configuration file only wires the extension up to the Project View and specifically to CFM and CFC files.
ide_config.xml
<application>
<!--
ColdFusion Builder extension overview. This is the
information that will be presented to the user during
the extension installation process.
-->
<name>ColdFusion File Encryption</name>
<author>Ben Nadel</author>
<version>0.1</version>
<email>ben@xxxxxxxxx.com</email>
<description>
<![CDATA[
<p>
This extensions encrypts and decrypts ColdFusion
CFM and CFC files using command line utilities
(executables). For encryption, it uses the native
CFEncode.exe and for decryption, it uses the 3rd
party CFDecrypt.exe.
</p>
<p>
The original ColdFusion files remain intact. The
encrypted and decrypted files are created as new
files with ".encrypted" and ".decrypted" preceding
the file extension (respectively).
</p>
]]>
</description>
<license>
<![CDATA[
<p>
Just don't sue me.
</p>
<p>
<strong>NOTE:</strong> Using the CFDecrypt.exe
utility <em>might</em> be a violation of the Adobe
ColdFusion license agreement / terms of use; use
at your own discretion.
</p>
]]>
</license>
<!--
The MenuContributions determine where the extension
is active within ColdFusion Builder (as defined by the
Contribution tags).
-->
<menucontributions>
<!-- The "ProjectView" is the project navigator. -->
<contribution target="projectview">
<menu name="ColdFusion File Encryption">
<!--
This will only be avilable on CFM and CFC
files (within the project tree) as defined
by the following regular epxression for file
extensions.
NOTE: Use the (?i) case flag to keep the
regular expression case-insensitive (since it
is, by default case-sensitive).
NOTE: The pattern must match the ENTIRE file
name, not just match within it.
-->
<filters>
<filter
type="file"
pattern="(?i).+\.cf(m|c)"
/>
</filters>
<!--
These are the options that will show up under
the "ColdFusion File Encryption" header within
the context menu. Each calls a Handler (by ID),
defined later in this configuration file.
-->
<action
name="Encrypt"
handlerid="encrypt"
showresponse="false"
/>
<action
name="Decrypt"
handlerid="decrypt"
showresponse="false"
/>
</menu>
</contribution>
</menucontributions>
<!--
The Handler define the ColdFusion files that will
receive the data posted by ColdFusion Builder when the
user selects one of the above actions.
NOTE: These files are located in the "handlers" folder
of the extension installation.
-->
<handlers>
<handler id="encrypt" type="cfm" filename="encrypt.cfm" />
<handler id="decrypt" type="cfm" filename="decrypt.cfm" />
</handlers>
</application>
When you set up the filters for your extension, there are two important caveats to know about: one, the regular expressions used in the filtering must match the entire file name, not just part of it (ie. not just the extension); and two, the regular expressions are case-sensitive by default - to make them case-INsensitive, you have to add the (?i) flag as the very first part of the pattern.
Each action (context menu item) in your extension is mapped to a handler, which is really just a ColdFusion file that ColdFusion Builder calls on your server. I created two handlers (ColdFusion files) - one for encryption and one for decryption.
NOTE: I have included an XML response in both of my handler files, but I have not been able to get them to work - they are supposed to refresh the project view after the new files have been created; I am including them in the following code samples in the hopes that someone will see something blatantly wrong and tell me how to fix it!
encrypt.cfm
<!---
Param the FORM value that will contain the data posted from
the ColdFusion Builder extension. This will be in the form of
the following XML file:
<event>
<ide>
<projectview
projectname="EncryptDecrypt"
projectlocation="C:/..." >
<resource
path="C:/.../file.cfm"
type="file" />
</projectview>
</ide>
<user></user>
</event>
--->
<cfparam
name="form.ideEventInfo"
type="string"
default=""
/>
<!---
Wrap the entire process around Try / Catch because it relies
on a bunch of things that might cause error.
NOTE: This is my first web service. In future iterations, we
will do a better job of reporting back any errors.
--->
<cftry>
<!--- Get the current directory. --->
<cfset thisDirectory = getDirectoryFromPath(
getCurrentTemplatePath()
) />
<!--- Get the bin directory. --->
<cfset binDirectory = (thisDirectory & "..\bin\") />
<!--- Get the log directory (for errors). --->
<cfset logDirectory = (thisDirectory & "..\log\") />
<!---
Now that we have all of our directories in place,
let's convert the request data into XML so we can access
its nodes.
--->
<cfset requestXml = xmlParse( trim( form.ideEventInfo ) ) />
<!---
Now that we have all of our directories in place, let's
grab the resource node's PATH attribute from the XML post
into the document we got from ColdFusion builder.
--->
<cfset resourceNodes = xmlSearch(
requestXml,
"//resource[ position() = 1 ]/@path"
) />
<!---
From the resource PATH attribute node, we can grab the
file path to the unecrypted ColdFusion file.
NOTE: While ColdFusion usually doesn't care about the file
path seperator, since we are dipping down into the command
line, we need to make sure we are using the WINDOWS file
path seperator.
--->
<cfset decryptedFile = reReplace(
resourceNodes[ 1 ].xmlValue,
"[\\/]",
"\",
"all"
) />
<!---
Based on the decrypted file name, let's create an encrypted
file name by adding ".encypted." before the file extension.
--->
<cfset encryptedFile = reReplaceNoCase(
decryptedFile,
"(.+?)(?:\.decrypted)?\.(cf(m|c))$",
"\1.encrypted.\2",
"one"
) />
<!---
Now that we have the path to the unecrypted file and to
the target encrypted file, we can run the source through
the cfencode.exe command line utility.
--->
<cfexecute
name="""#binDirectory#cfencode.exe"""
arguments="""#decryptedFile#"" ""#encryptedFile#"" /v ""2"""
timeout="5">
</cfexecute>
<!---
Now that we have encrypted the file, we need to tell
ColdFusion Builder to refresh it's project tree (since
we have created a new file). To do that, we need to grab
the project node.
--->
<cfset projectNode = xmlSearch(
requestXml,
"//projectview[ position() = 1 ]/@projectname"
) />
<!--- Store the response xml. --->
<cfsavecontent variable="responseXml">
<cfoutput>
<response>
<ide>
<commands>
<command name="refreshproject">
<params>
<param
key="projectname"
value="#projectNode[ 1 ].xmlValue#"
/>
</params>
</command>
</commands>
</ide>
</response>
</cfoutput>
</cfsavecontent>
<!---
Now, convert the response XML to binary and stream it
back to builder.
--->
<cfset responseBinary = toBinary(
toBase64(
trim( responseXml )
)
) />
<!---
Set response content data. This will reset the output
buffer, write the data, and then close the response.
--->
<cfcontent
type="text/xml"
variable="#responseBinary#"
/>
<!--- ------------------------------------------------- --->
<!--- ------------------------------------------------- --->
<!---
We should NOT have made it this far. Either the request
prcessed well and the processing is OVER; or, there was
an error and the processing skipped directly to the
CFCatch block of our try / catch area.
--->
<!--- Catch any errors. --->
<cfcatch>
<!--- Log the error to disk. --->
<cfdump
var="#[ form, variables, cfcatch ]#"
format="html"
output="#logDirectory##createUUID()#.htm"
/>
</cfcatch>
</cftry>
As you can see, this file is not doing much more than parsing the posted XML request and routing the resource file (the file the user selected when applying the extension) through the CFEncode.exe command line utility. The decryption functionality is almost identical, except that it uses the CFDecrypt.exe command line utility:
decrypt.cfm
<!---
Param the FORM value that will contain the data posted from
the ColdFusion Builder extension. This will be in the form of
the following XML file:
<event>
<ide>
<projectview
projectname="EncryptDecrypt"
projectlocation="C:/..." >
<resource
path="C:/.../file.cfm"
type="file" />
</projectview>
</ide>
<user></user>
</event>
--->
<cfparam
name="form.ideEventInfo"
type="string"
default=""
/>
<!---
Wrap the entire process around Try / Catch because it relies
on a bunch of things that might cause error.
NOTE: This is my first web service. In future iterations, we
will do a better job of reporting back any errors.
--->
<cftry>
<!--- Get the current directory. --->
<cfset thisDirectory = getDirectoryFromPath(
getCurrentTemplatePath()
) />
<!--- Get the bin directory. --->
<cfset binDirectory = (thisDirectory & "..\bin\") />
<!--- Get the log directory (for errors). --->
<cfset logDirectory = (thisDirectory & "..\log\") />
<!---
Now that we have all of our directories in place,
let's convert the request data into XML so we can access
its nodes.
--->
<cfset requestXml = xmlParse( trim( form.ideEventInfo ) ) />
<!---
Now that we have all of our directories in place, let's
grab the resource node's PATH attribute from the XML post
into the document we got from ColdFusion builder.
--->
<cfset resourceNodes = xmlSearch(
requestXml,
"//resource[ position() = 1 ]/@path"
) />
<!---
From the resource PATH attribute node, we can grab the
file path to the ecrypted ColdFusion file.
NOTE: While ColdFusion usually doesn't care about the file
path seperator, since we are dipping down into the command
line, we need to make sure we are using the WINDOWS file
path seperator.
--->
<cfset encryptedFile = reReplace(
resourceNodes[ 1 ].xmlValue,
"[\\/]",
"\",
"all"
) />
<!---
Based on the encrypted file name, let's create an decrypted
file name by adding ".decypted." before the file extension.
--->
<cfset decryptedFile = reReplaceNoCase(
encryptedFile,
"(.+?)(?:\.encrypted)?\.(cf(m|c))$",
"\1.decrypted.\2",
"one"
) />
<!---
Now that we have the path to the encrypted file and to
the target denrypted file, we can run the source through
the cfdecrypt.exe command line utility.
--->
<cfexecute
name="""#binDirectory#cfdecrypt.exe"""
arguments="""#encryptedFile#"" ""#decryptedFile#"""
timeout="5">
</cfexecute>
<!---
Now that we have decrypted the file, we need to tell
ColdFusion Builder to refresh it's project tree (since
we have created a new file). To do that, we need to grab
the project node.
--->
<cfset projectNode = xmlSearch(
requestXml,
"//projectview[ position() = 1 ]/@projectname"
) />
<!--- Store the response xml. --->
<cfsavecontent variable="responseXml">
<cfoutput>
<response>
<ide>
<commands>
<command name="refreshproject">
<params>
<param
key="projectname"
value="#projectNode[ 1 ].xmlValue#"
/>
</params>
</command>
</commands>
</ide>
</response>
</cfoutput>
</cfsavecontent>
<!---
Now, convert the response XML to binary and stream it
back to builder.
--->
<cfset responseBinary = toBinary(
toBase64(
trim( responseXml )
)
) />
<!---
Set response content data. This will reset the output
buffer, write the data, and then close the response.
--->
<cfcontent
type="text/xml"
variable="#responseBinary#"
/>
<!--- ------------------------------------------------- --->
<!--- ------------------------------------------------- --->
<!---
We should NOT have made it this far. Either the request
prcessed well and the processing is OVER; or, there was
an error and the processing skipped directly to the
CFCatch block of our try / catch area.
--->
<!--- Catch any errors. --->
<cfcatch>
<!--- Log the error to disk. --->
<cfdump
var="#[ form, variables, cfcatch ]#"
format="html"
output="#logDirectory##createUUID()#.htm"
/>
</cfcatch>
</cftry>
And that's all there is to it. Like I said above, I could not get the response XML to work and refresh the ColdFusion Builder project. When I log the response, here is what I get - hopefully someone will see what is going wrong here and help me out:
<response>
<ide>
<commands>
<command name="refreshproject">
<params>
<param key="projectname" value="EncryptDecrypt" />
</params>
</command>
</commands>
</ide>
</response>
I took this right out of the documentation and the ColdFusion Builder error log viewer doesn't tell me anything; in fact, the error log viewer in Builder seemed completely useless - it never held any errors related to my extensions. Anyway, if anyone sees something wrong with my response, please let me know.
So that's my "hello world" ColdFusion Builder extension. It took me a few hours to figure out a bunch of the little quirks, but once I got past that, this extensible functionality seems easy to create and potentially very powerful. One of the nicest things about it is that after the extension is installed, I can work directly on the installed ColdFusion files to update the extension functionality in real-time.
Want to use code from this post? Check out the license.
Reader Comments
Regarding XML callbacks. I don't think you need to convert them to binary. I use cfheader instead of cfcontent to push it as XML. Check the source of my translator extension to see it in code.
http://translator.riaforge.org/
@Terrence,
The conversion to binary is only so I can use the "Variable" attribute off of the CFContent tag (which will ensure that *only* the XML is returned and finalizes the response).
I'll take a look your translator, thanks!
@Ben,
I haven't tried working with this at all but here is something that came to mind.
Did you try using your variable you first create "thisDirectory" when you try to refresh the project?
such as
<param
key="projectname"
value="#thisDirectory#"
/>
After reading this I suspect many people didn't know the ability to encrypt and decrypt files exist. I wrote up a quick blog post about pros and cons of doing such. http://www.usefulconcept.com/index.cfm/2009/11/19/Encrypting-CFM-Files-with-CFencode
@Daniel,
The "thisDirectory" variable points to the current location of the extension code, not of the project. We have to get the project information from the posted XML file.
@Ben,
Ya I guess I should have looked over a little more detail, some reason I thought that was coming from the file being encrypted/decrypted.
@Daniel,
No worries - it was a good thought.
@Ben,
Have you tried refreshing the folder instead of the project?
@Daniel,
Hmmm, not sure if I tried that. I wonder how that works, since I believe in CF Builder, I might not be able to get the name of the folder form the path (as it might be a shared resource or the root of the project). I'll give it a try.
Is this the same thing or different than cfcompile? I never get an Allaire header when I use that, it's usually a max of 3 miscellaneous looking characters.
If it is the same, is there any real way to successfully physically protect your CFML source code when distributing it?
@Ben,
Because I am pedantic, I just want to make sure that everyone knows there is absolutely no encryption going on. There is only encoding and obfuscation. The cfencode tool only obfuscates your CF code, as stated on {http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity2.htm}.
Obfuscation merely prevents the casual person from reading your source code immediately. If someone hacked into your laptop, your version control master, or your web server to look at your source, you can bet your behind that he is perfectly able to read your obfuscated code.
But obfuscation typically has no security implications and cannot prevent anyone from understanding the file once he has access to it. Only encryption is capable of doing that, so long as a modern cryptosystem is chosen and the private keys remain safe.
The key difference is: with obfuscation, anyone with a little time and talent can easily understand and alter your source code. But modern a modern encryption algorithm, so long as it does not have gaping flaws, cannot be broken. "AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. A device that could check a billion billion (10^18) AES keys per second would require about 3×10^51 years to exhaust the 256-bit key space." {http://en.wikipedia.org/wiki/Brute_force_attack} All of the computing power in this world put together is not sufficient to check a billion billion keys per second. In other words, no matter how much time or energy or money you have, it is physically impossible to break something encrypted with AES-256 unless you already know the encryption key.
Cheers,
Justice
@Justice,
Good clarification; I was not exactly sure what the CFEncode.exe was doing. But, if the code is obfuscated, I wonder how ColdFusion knows to de-obfuscate it before compiling? Perhaps there are markers in the code that it checks for every time that it goes to compile?
@Ben,
I'm not sure exactly how cfencode works either. I can state for sure that, according to Adobe's docs, cfencode doesn't encrypt but only obfuscates.
The nice thing about obfuscated code is that, in most scenarios, it does not need to be "de-obfuscated." The obfuscated code can typically be run as-is, at least in the Java and .NET obfuscators I have seen, because the obfuscated code contains within it the code necessary to deobfuscate the rest of itself.
Note that 'jquery.min.js' is the obfuscated version of 'jquery.js' (minification is a form of obfuscation). Also, the 'jquery.packed.js' is also an obfuscated version of 'jquery.js'. Obviously, the files work exactly the same. But in the minified version, internal variables are renamed to something very short, because they are not part of the public API so the renames don't matter. In the packed version, there is a whole lot more going on in terms of obfuscation. In fact, in the packed version, the file contains the JavaScript code needed to unpack the rest of itself, so the browser doesn't have to do anything special - it just runs what it thinks is everyday run-of-the-mill JavaScript code.
Cheers,
Justice
@Justice,
The concept of something being able to unpack itself is pretty wild! I knew that was going on at some level, but never really thought about it conceptually. Pretty cool stuff!
Ha Ha -- You crack me up Ben.
Dangy! -- ha.
Great Post.
being as you posted this in 2009, I presume the cfdecrypt works fine with CF8?
I just downloaded it from the adobe exchange and it wont decrypt anything, I just get 0 byte files.
@Russ,
Yeah, it worked with CF8. I am not sure what a zero byte file would be an indicator of. Perhaps the file you are trying to decrypt was not encrypted with the same algorithm. CF9 ships with files that were encrypted with a totally different method (if you're trying to look at some of the Service object or something).
@Ben Nadel,
I'm trying to decrypt some cfreport files, these are several years old so are probably cf6/7
I actually can't get any cfm files at all to decrypt, they all come out as zero byte.
@Russ,
Hmm, I've never actually had to deal with the Report builder aspects of ColdFusion. From what I hear it is kind of a beast. If these are files generated by report builder, I would *assume* that the encryption they are using is different that the "obfuscation" used in CFDecrypt.
Ray Camden solved this one for me (thanks Ray!). The correct attribute for the XML callback is actually:
<command type="refreshproject">
instead of name="...". So, the full snippet based on your code that works for me is here: http://pastebin.com/Jc3eBFyN
Thanks for informative post!
@Matt,
Good stuff. I had seen the RefreshProject command used once or twice but had never actually gotten it to execute in my experience. Now that I have recently switched over to Mac, which has forced me to switch over to ColdFusion Builder, I'll definitely be getting back into this stuff.