Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at CFUNITED 2010 (Landsdown, VA) with: Josh Highland

My First ColdFusion Builder Extension - Encrypting And Decrypting CFM / CFC Files

By Ben Nadel on
Tags: ColdFusion

After watching Simon Free present on ColdFusion Builder Extensions at RIAUnleashed up in Boston, I felt inspired and wanted to come home and start playing around with my own little extensions (get your mind out of the gutter!). As a "hello world" type introduction to the ColdFusion Builder extension arena, I thought I would try and keep it as simple as possible, not dealing with any wizards or response modals; my first extensions - ColdFusion file encryption / decryption - simply sends off an action request to the extension handlers without waiting for any response or supplying one to the user.

 
 
 
 
 
 
 
 
 
 

The ColdFusion Builder extension installation process, menu configuration, and action handling is all defined within the ide_config.xml file that must be in the root of your extension archive (ZIP archive of your CFM files). Since my extension deals with the encryption and decryption of ColdFusion files, this configuration file only wires the extension up to the Project View and specifically to CFM and CFC files.

ide_config.xml

  • <application>
  •  
  • <!--
  • ColdFusion Builder extension overview. This is the
  • information that will be presented to the user during
  • the extension installation process.
  • -->
  • <name>ColdFusion File Encryption</name>
  • <author>Ben Nadel</author>
  • <version>0.1</version>
  • <email>ben@xxxxxxxxx.com</email>
  • <description>
  • <![CDATA[
  • <p>
  • This extensions encrypts and decrypts ColdFusion
  • CFM and CFC files using command line utilities
  • (executables). For encryption, it uses the native
  • CFEncode.exe and for decryption, it uses the 3rd
  • party CFDecrypt.exe.
  • </p>
  •  
  • <p>
  • The original ColdFusion files remain intact. The
  • encrypted and decrypted files are created as new
  • files with ".encrypted" and ".decrypted" preceding
  • the file extension (respectively).
  • </p>
  • ]]>
  • </description>
  • <license>
  • <![CDATA[
  • <p>
  • Just don't sue me.
  • </p>
  •  
  • <p>
  • <strong>NOTE:</strong> Using the CFDecrypt.exe
  • utility <em>might</em> be a violation of the Adobe
  • ColdFusion license agreement / terms of use; use
  • at your own discretion.
  • </p>
  • ]]>
  • </license>
  •  
  • <!--
  • The MenuContributions determine where the extension
  • is active within ColdFusion Builder (as defined by the
  • Contribution tags).
  • -->
  • <menucontributions>
  •  
  • <!-- The "ProjectView" is the project navigator. -->
  • <contribution target="projectview">
  •  
  • <menu name="ColdFusion File Encryption">
  •  
  • <!--
  • This will only be avilable on CFM and CFC
  • files (within the project tree) as defined
  • by the following regular epxression for file
  • extensions.
  •  
  • NOTE: Use the (?i) case flag to keep the
  • regular expression case-insensitive (since it
  • is, by default case-sensitive).
  •  
  • NOTE: The pattern must match the ENTIRE file
  • name, not just match within it.
  • -->
  • <filters>
  • <filter
  • type="file"
  • pattern="(?i).+\.cf(m|c)"
  • />
  • </filters>
  •  
  • <!--
  • These are the options that will show up under
  • the "ColdFusion File Encryption" header within
  • the context menu. Each calls a Handler (by ID),
  • defined later in this configuration file.
  • -->
  • <action
  • name="Encrypt"
  • handlerid="encrypt"
  • showresponse="false"
  • />
  •  
  • <action
  • name="Decrypt"
  • handlerid="decrypt"
  • showresponse="false"
  • />
  •  
  • </menu>
  •  
  • </contribution>
  •  
  • </menucontributions>
  •  
  • <!--
  • The Handler define the ColdFusion files that will
  • receive the data posted by ColdFusion Builder when the
  • user selects one of the above actions.
  •  
  • NOTE: These files are located in the "handlers" folder
  • of the extension installation.
  • -->
  • <handlers>
  • <handler id="encrypt" type="cfm" filename="encrypt.cfm" />
  • <handler id="decrypt" type="cfm" filename="decrypt.cfm" />
  • </handlers>
  •  
  • </application>

When you set up the filters for your extension, there are two important caveats to know about: one, the regular expressions used in the filtering must match the entire file name, not just part of it (ie. not just the extension); and two, the regular expressions are case-sensitive by default - to make them case-INsensitive, you have to add the (?i) flag as the very first part of the pattern.

Each action (context menu item) in your extension is mapped to a handler, which is really just a ColdFusion file that ColdFusion Builder calls on your server. I created two handlers (ColdFusion files) - one for encryption and one for decryption.

NOTE: I have included an XML response in both of my handler files, but I have not been able to get them to work - they are supposed to refresh the project view after the new files have been created; I am including them in the following code samples in the hopes that someone will see something blatantly wrong and tell me how to fix it!

encrypt.cfm

  • <!---
  • Param the FORM value that will contain the data posted from
  • the ColdFusion Builder extension. This will be in the form of
  • the following XML file:
  •  
  • <event>
  • <ide>
  • <projectview
  • projectname="EncryptDecrypt"
  • projectlocation="C:/..." >
  •  
  • <resource
  • path="C:/.../file.cfm"
  • type="file" />
  •  
  • </projectview>
  • </ide>
  •  
  • <user></user>
  • </event>
  • --->
  • <cfparam
  • name="form.ideEventInfo"
  • type="string"
  • default=""
  • />
  •  
  •  
  • <!---
  • Wrap the entire process around Try / Catch because it relies
  • on a bunch of things that might cause error.
  •  
  • NOTE: This is my first web service. In future iterations, we
  • will do a better job of reporting back any errors.
  • --->
  • <cftry>
  •  
  • <!--- Get the current directory. --->
  • <cfset thisDirectory = getDirectoryFromPath(
  • getCurrentTemplatePath()
  • ) />
  •  
  • <!--- Get the bin directory. --->
  • <cfset binDirectory = (thisDirectory & "..\bin\") />
  •  
  • <!--- Get the log directory (for errors). --->
  • <cfset logDirectory = (thisDirectory & "..\log\") />
  •  
  •  
  • <!---
  • Now that we have all of our directories in place,
  • let's convert the request data into XML so we can access
  • its nodes.
  • --->
  • <cfset requestXml = xmlParse( trim( form.ideEventInfo ) ) />
  •  
  •  
  • <!---
  • Now that we have all of our directories in place, let's
  • grab the resource node's PATH attribute from the XML post
  • into the document we got from ColdFusion builder.
  • --->
  • <cfset resourceNodes = xmlSearch(
  • requestXml,
  • "//resource[ position() = 1 ]/@path"
  • ) />
  •  
  • <!---
  • From the resource PATH attribute node, we can grab the
  • file path to the unecrypted ColdFusion file.
  •  
  • NOTE: While ColdFusion usually doesn't care about the file
  • path seperator, since we are dipping down into the command
  • line, we need to make sure we are using the WINDOWS file
  • path seperator.
  • --->
  • <cfset decryptedFile = reReplace(
  • resourceNodes[ 1 ].xmlValue,
  • "[\\/]",
  • "\",
  • "all"
  • ) />
  •  
  • <!---
  • Based on the decrypted file name, let's create an encrypted
  • file name by adding ".encypted." before the file extension.
  • --->
  • <cfset encryptedFile = reReplaceNoCase(
  • decryptedFile,
  • "(.+?)(?:\.decrypted)?\.(cf(m|c))$",
  • "\1.encrypted.\2",
  • "one"
  • ) />
  •  
  •  
  • <!---
  • Now that we have the path to the unecrypted file and to
  • the target encrypted file, we can run the source through
  • the cfencode.exe command line utility.
  • --->
  • <cfexecute
  • name="""#binDirectory#cfencode.exe"""
  • arguments="""#decryptedFile#"" ""#encryptedFile#"" /v ""2"""
  • timeout="5">
  • </cfexecute>
  •  
  •  
  • <!---
  • Now that we have encrypted the file, we need to tell
  • ColdFusion Builder to refresh it's project tree (since
  • we have created a new file). To do that, we need to grab
  • the project node.
  • --->
  • <cfset projectNode = xmlSearch(
  • requestXml,
  • "//projectview[ position() = 1 ]/@projectname"
  • ) />
  •  
  • <!--- Store the response xml. --->
  • <cfsavecontent variable="responseXml">
  • <cfoutput>
  •  
  • <response>
  • <ide>
  • <commands>
  •  
  • <command name="refreshproject">
  • <params>
  • <param
  • key="projectname"
  • value="#projectNode[ 1 ].xmlValue#"
  • />
  • </params>
  • </command>
  •  
  • </commands>
  • </ide>
  • </response>
  •  
  • </cfoutput>
  • </cfsavecontent>
  •  
  • <!---
  • Now, convert the response XML to binary and stream it
  • back to builder.
  • --->
  • <cfset responseBinary = toBinary(
  • toBase64(
  • trim( responseXml )
  • )
  • ) />
  •  
  •  
  • <!---
  • Set response content data. This will reset the output
  • buffer, write the data, and then close the response.
  • --->
  • <cfcontent
  • type="text/xml"
  • variable="#responseBinary#"
  • />
  •  
  •  
  • <!--- ------------------------------------------------- --->
  • <!--- ------------------------------------------------- --->
  •  
  • <!---
  • We should NOT have made it this far. Either the request
  • prcessed well and the processing is OVER; or, there was
  • an error and the processing skipped directly to the
  • CFCatch block of our try / catch area.
  • --->
  •  
  •  
  • <!--- Catch any errors. --->
  • <cfcatch>
  •  
  • <!--- Log the error to disk. --->
  • <cfdump
  • var="#[ form, variables, cfcatch ]#"
  • format="html"
  • output="#logDirectory##createUUID()#.htm"
  • />
  •  
  • </cfcatch>
  •  
  • </cftry>

As you can see, this file is not doing much more than parsing the posted XML request and routing the resource file (the file the user selected when applying the extension) through the CFEncode.exe command line utility. The decryption functionality is almost identical, except that it uses the CFDecrypt.exe command line utility:

decrypt.cfm

  • <!---
  • Param the FORM value that will contain the data posted from
  • the ColdFusion Builder extension. This will be in the form of
  • the following XML file:
  •  
  • <event>
  • <ide>
  • <projectview
  • projectname="EncryptDecrypt"
  • projectlocation="C:/..." >
  •  
  • <resource
  • path="C:/.../file.cfm"
  • type="file" />
  •  
  • </projectview>
  • </ide>
  •  
  • <user></user>
  • </event>
  • --->
  • <cfparam
  • name="form.ideEventInfo"
  • type="string"
  • default=""
  • />
  •  
  •  
  • <!---
  • Wrap the entire process around Try / Catch because it relies
  • on a bunch of things that might cause error.
  •  
  • NOTE: This is my first web service. In future iterations, we
  • will do a better job of reporting back any errors.
  • --->
  • <cftry>
  •  
  • <!--- Get the current directory. --->
  • <cfset thisDirectory = getDirectoryFromPath(
  • getCurrentTemplatePath()
  • ) />
  •  
  • <!--- Get the bin directory. --->
  • <cfset binDirectory = (thisDirectory & "..\bin\") />
  •  
  • <!--- Get the log directory (for errors). --->
  • <cfset logDirectory = (thisDirectory & "..\log\") />
  •  
  •  
  • <!---
  • Now that we have all of our directories in place,
  • let's convert the request data into XML so we can access
  • its nodes.
  • --->
  • <cfset requestXml = xmlParse( trim( form.ideEventInfo ) ) />
  •  
  •  
  • <!---
  • Now that we have all of our directories in place, let's
  • grab the resource node's PATH attribute from the XML post
  • into the document we got from ColdFusion builder.
  • --->
  • <cfset resourceNodes = xmlSearch(
  • requestXml,
  • "//resource[ position() = 1 ]/@path"
  • ) />
  •  
  • <!---
  • From the resource PATH attribute node, we can grab the
  • file path to the ecrypted ColdFusion file.
  •  
  • NOTE: While ColdFusion usually doesn't care about the file
  • path seperator, since we are dipping down into the command
  • line, we need to make sure we are using the WINDOWS file
  • path seperator.
  • --->
  • <cfset encryptedFile = reReplace(
  • resourceNodes[ 1 ].xmlValue,
  • "[\\/]",
  • "\",
  • "all"
  • ) />
  •  
  • <!---
  • Based on the encrypted file name, let's create an decrypted
  • file name by adding ".decypted." before the file extension.
  • --->
  • <cfset decryptedFile = reReplaceNoCase(
  • encryptedFile,
  • "(.+?)(?:\.encrypted)?\.(cf(m|c))$",
  • "\1.decrypted.\2",
  • "one"
  • ) />
  •  
  •  
  • <!---
  • Now that we have the path to the encrypted file and to
  • the target denrypted file, we can run the source through
  • the cfdecrypt.exe command line utility.
  • --->
  • <cfexecute
  • name="""#binDirectory#cfdecrypt.exe"""
  • arguments="""#encryptedFile#"" ""#decryptedFile#"""
  • timeout="5">
  • </cfexecute>
  •  
  •  
  • <!---
  • Now that we have decrypted the file, we need to tell
  • ColdFusion Builder to refresh it's project tree (since
  • we have created a new file). To do that, we need to grab
  • the project node.
  • --->
  • <cfset projectNode = xmlSearch(
  • requestXml,
  • "//projectview[ position() = 1 ]/@projectname"
  • ) />
  •  
  • <!--- Store the response xml. --->
  • <cfsavecontent variable="responseXml">
  • <cfoutput>
  •  
  • <response>
  • <ide>
  • <commands>
  •  
  • <command name="refreshproject">
  • <params>
  • <param
  • key="projectname"
  • value="#projectNode[ 1 ].xmlValue#"
  • />
  • </params>
  • </command>
  •  
  • </commands>
  • </ide>
  • </response>
  •  
  • </cfoutput>
  • </cfsavecontent>
  •  
  • <!---
  • Now, convert the response XML to binary and stream it
  • back to builder.
  • --->
  • <cfset responseBinary = toBinary(
  • toBase64(
  • trim( responseXml )
  • )
  • ) />
  •  
  •  
  • <!---
  • Set response content data. This will reset the output
  • buffer, write the data, and then close the response.
  • --->
  • <cfcontent
  • type="text/xml"
  • variable="#responseBinary#"
  • />
  •  
  •  
  • <!--- ------------------------------------------------- --->
  • <!--- ------------------------------------------------- --->
  •  
  • <!---
  • We should NOT have made it this far. Either the request
  • prcessed well and the processing is OVER; or, there was
  • an error and the processing skipped directly to the
  • CFCatch block of our try / catch area.
  • --->
  •  
  •  
  • <!--- Catch any errors. --->
  • <cfcatch>
  •  
  • <!--- Log the error to disk. --->
  • <cfdump
  • var="#[ form, variables, cfcatch ]#"
  • format="html"
  • output="#logDirectory##createUUID()#.htm"
  • />
  •  
  • </cfcatch>
  •  
  • </cftry>

And that's all there is to it. Like I said above, I could not get the response XML to work and refresh the ColdFusion Builder project. When I log the response, here is what I get - hopefully someone will see what is going wrong here and help me out:

  • <response>
  • <ide>
  • <commands>
  • <command name="refreshproject">
  • <params>
  • <param key="projectname" value="EncryptDecrypt" />
  • </params>
  • </command>
  • </commands>
  • </ide>
  • </response>

I took this right out of the documentation and the ColdFusion Builder error log viewer doesn't tell me anything; in fact, the error log viewer in Builder seemed completely useless - it never held any errors related to my extensions. Anyway, if anyone sees something wrong with my response, please let me know.

So that's my "hello world" ColdFusion Builder extension. It took me a few hours to figure out a bunch of the little quirks, but once I got past that, this extensible functionality seems easy to create and potentially very powerful. One of the nicest things about it is that after the extension is installed, I can work directly on the installed ColdFusion files to update the extension functionality in real-time.




Reader Comments

@Terrence,

The conversion to binary is only so I can use the "Variable" attribute off of the CFContent tag (which will ensure that *only* the XML is returned and finalizes the response).

I'll take a look your translator, thanks!

Reply to this Comment

@Ben,

I haven't tried working with this at all but here is something that came to mind.

Did you try using your variable you first create "thisDirectory" when you try to refresh the project?

such as

<param
key="projectname"
value="#thisDirectory#"
/>

Reply to this Comment

@Daniel,

The "thisDirectory" variable points to the current location of the extension code, not of the project. We have to get the project information from the posted XML file.

Reply to this Comment

@Ben,

Ya I guess I should have looked over a little more detail, some reason I thought that was coming from the file being encrypted/decrypted.

Reply to this Comment

@Daniel,

Hmmm, not sure if I tried that. I wonder how that works, since I believe in CF Builder, I might not be able to get the name of the folder form the path (as it might be a shared resource or the root of the project). I'll give it a try.

Reply to this Comment

Is this the same thing or different than cfcompile? I never get an Allaire header when I use that, it's usually a max of 3 miscellaneous looking characters.

If it is the same, is there any real way to successfully physically protect your CFML source code when distributing it?

Reply to this Comment

@Ben,

Because I am pedantic, I just want to make sure that everyone knows there is absolutely no encryption going on. There is only encoding and obfuscation. The cfencode tool only obfuscates your CF code, as stated on {http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity2.htm}.

Obfuscation merely prevents the casual person from reading your source code immediately. If someone hacked into your laptop, your version control master, or your web server to look at your source, you can bet your behind that he is perfectly able to read your obfuscated code.

But obfuscation typically has no security implications and cannot prevent anyone from understanding the file once he has access to it. Only encryption is capable of doing that, so long as a modern cryptosystem is chosen and the private keys remain safe.

The key difference is: with obfuscation, anyone with a little time and talent can easily understand and alter your source code. But modern a modern encryption algorithm, so long as it does not have gaping flaws, cannot be broken. "AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. A device that could check a billion billion (10^18) AES keys per second would require about 3×10^51 years to exhaust the 256-bit key space." {http://en.wikipedia.org/wiki/Brute_force_attack} All of the computing power in this world put together is not sufficient to check a billion billion keys per second. In other words, no matter how much time or energy or money you have, it is physically impossible to break something encrypted with AES-256 unless you already know the encryption key.

Cheers,
Justice

Reply to this Comment

@Justice,

Good clarification; I was not exactly sure what the CFEncode.exe was doing. But, if the code is obfuscated, I wonder how ColdFusion knows to de-obfuscate it before compiling? Perhaps there are markers in the code that it checks for every time that it goes to compile?

Reply to this Comment

@Ben,

I'm not sure exactly how cfencode works either. I can state for sure that, according to Adobe's docs, cfencode doesn't encrypt but only obfuscates.

The nice thing about obfuscated code is that, in most scenarios, it does not need to be "de-obfuscated." The obfuscated code can typically be run as-is, at least in the Java and .NET obfuscators I have seen, because the obfuscated code contains within it the code necessary to deobfuscate the rest of itself.

Note that 'jquery.min.js' is the obfuscated version of 'jquery.js' (minification is a form of obfuscation). Also, the 'jquery.packed.js' is also an obfuscated version of 'jquery.js'. Obviously, the files work exactly the same. But in the minified version, internal variables are renamed to something very short, because they are not part of the public API so the renames don't matter. In the packed version, there is a whole lot more going on in terms of obfuscation. In fact, in the packed version, the file contains the JavaScript code needed to unpack the rest of itself, so the browser doesn't have to do anything special - it just runs what it thinks is everyday run-of-the-mill JavaScript code.

Cheers,
Justice

Reply to this Comment

@Justice,

The concept of something being able to unpack itself is pretty wild! I knew that was going on at some level, but never really thought about it conceptually. Pretty cool stuff!

Reply to this Comment

being as you posted this in 2009, I presume the cfdecrypt works fine with CF8?
I just downloaded it from the adobe exchange and it wont decrypt anything, I just get 0 byte files.

Reply to this Comment

@Russ,

Yeah, it worked with CF8. I am not sure what a zero byte file would be an indicator of. Perhaps the file you are trying to decrypt was not encrypted with the same algorithm. CF9 ships with files that were encrypted with a totally different method (if you're trying to look at some of the Service object or something).

Reply to this Comment

@Ben Nadel,

I'm trying to decrypt some cfreport files, these are several years old so are probably cf6/7

I actually can't get any cfm files at all to decrypt, they all come out as zero byte.

Reply to this Comment

@Russ,

Hmm, I've never actually had to deal with the Report builder aspects of ColdFusion. From what I hear it is kind of a beast. If these are files generated by report builder, I would *assume* that the encryption they are using is different that the "obfuscation" used in CFDecrypt.

Reply to this Comment

Ray Camden solved this one for me (thanks Ray!). The correct attribute for the XML callback is actually:

<command type="refreshproject">

instead of name="...". So, the full snippet based on your code that works for me is here: http://pastebin.com/Jc3eBFyN

Thanks for informative post!

Reply to this Comment

@Matt,

Good stuff. I had seen the RefreshProject command used once or twice but had never actually gotten it to execute in my experience. Now that I have recently switched over to Mac, which has forced me to switch over to ColdFusion Builder, I'll definitely be getting back into this stuff.

Reply to this Comment

Post A Comment

You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.