Skip to main content
Ben Nadel at NCDevCon 2011 (Raleigh, NC) with: Rakshith Naresh
Ben Nadel at NCDevCon 2011 (Raleigh, NC) with: Rakshith Naresh ( @rakshithn )

My First ColdFusion Builder Extension - Encrypting And Decrypting CFM / CFC Files

By
Published in Comments (21)

After watching Simon Free present on ColdFusion Builder Extensions at RIAUnleashed up in Boston, I felt inspired and wanted to come home and start playing around with my own little extensions (get your mind out of the gutter!). As a "hello world" type introduction to the ColdFusion Builder extension arena, I thought I would try and keep it as simple as possible, not dealing with any wizards or response modals; my first extensions - ColdFusion file encryption / decryption - simply sends off an action request to the extension handlers without waiting for any response or supplying one to the user.

The ColdFusion Builder extension installation process, menu configuration, and action handling is all defined within the ide_config.xml file that must be in the root of your extension archive (ZIP archive of your CFM files). Since my extension deals with the encryption and decryption of ColdFusion files, this configuration file only wires the extension up to the Project View and specifically to CFM and CFC files.

ide_config.xml

<application>

	<!--
		ColdFusion Builder extension overview. This is the
		information that will be presented to the user during
		the extension installation process.
	-->
	<name>ColdFusion File Encryption</name>
	<author>Ben Nadel</author>
	<version>0.1</version>
	<email>ben@xxxxxxxxx.com</email>
	<description>
		<![CDATA[
			<p>
				This extensions encrypts and decrypts ColdFusion
				CFM and CFC files using command line utilities
				(executables). For encryption, it uses the native
				CFEncode.exe and for decryption, it uses the 3rd
				party CFDecrypt.exe.
			</p>

			<p>
				The original ColdFusion files remain intact. The
				encrypted and decrypted files are created as new
				files with ".encrypted" and ".decrypted" preceding
				the file extension (respectively).
			</p>
		]]>
	</description>
	<license>
		<![CDATA[
			<p>
				Just don't sue me.
			</p>

			<p>
				<strong>NOTE:</strong> Using the CFDecrypt.exe
				utility <em>might</em> be a violation of the Adobe
				ColdFusion license agreement / terms of use; use
				at your own discretion.
			</p>
		]]>
	</license>

	<!--
		The MenuContributions determine where the extension
		is active within ColdFusion Builder (as defined by the
		Contribution tags).
	-->
	<menucontributions>

		<!-- The "ProjectView" is the project navigator. -->
		<contribution target="projectview">

			<menu name="ColdFusion File Encryption">

				<!--
					This will only be avilable on CFM and CFC
					files (within the project tree) as defined
					by the following regular epxression for file
					extensions.

					NOTE: Use the (?i) case flag to keep the
					regular expression case-insensitive (since it
					is, by default case-sensitive).

					NOTE: The pattern must match the ENTIRE file
					name, not just match within it.
				-->
				<filters>
					<filter
						type="file"
						pattern="(?i).+\.cf(m|c)"
						/>
				</filters>

				<!--
					These are the options that will show up under
					the "ColdFusion File Encryption" header within
					the context menu. Each calls a Handler (by ID),
					defined later in this configuration file.
				-->
				<action
					name="Encrypt"
					handlerid="encrypt"
					showresponse="false"
					/>

				<action
					name="Decrypt"
					handlerid="decrypt"
					showresponse="false"
					/>

			</menu>

		</contribution>

	</menucontributions>

	<!--
		The Handler define the ColdFusion files that will
		receive the data posted by ColdFusion Builder when the
		user selects one of the above actions.

		NOTE: These files are located in the "handlers" folder
		of the extension installation.
	-->
	<handlers>
		<handler id="encrypt" type="cfm" filename="encrypt.cfm" />
		<handler id="decrypt" type="cfm" filename="decrypt.cfm" />
	</handlers>

</application>

When you set up the filters for your extension, there are two important caveats to know about: one, the regular expressions used in the filtering must match the entire file name, not just part of it (ie. not just the extension); and two, the regular expressions are case-sensitive by default - to make them case-INsensitive, you have to add the (?i) flag as the very first part of the pattern.

Each action (context menu item) in your extension is mapped to a handler, which is really just a ColdFusion file that ColdFusion Builder calls on your server. I created two handlers (ColdFusion files) - one for encryption and one for decryption.

NOTE: I have included an XML response in both of my handler files, but I have not been able to get them to work - they are supposed to refresh the project view after the new files have been created; I am including them in the following code samples in the hopes that someone will see something blatantly wrong and tell me how to fix it!

encrypt.cfm

<!---
	Param the FORM value that will contain the data posted from
	the ColdFusion Builder extension. This will be in the form of
	the following XML file:

	<event>
		<ide>
			<projectview
				projectname="EncryptDecrypt"
				projectlocation="C:/..." >

				<resource
					path="C:/.../file.cfm"
					type="file" />

			</projectview>
		</ide>

		<user></user>
	</event>
--->
<cfparam
	name="form.ideEventInfo"
	type="string"
	default=""
	/>


<!---
	Wrap the entire process around Try / Catch because it relies
	on a bunch of things that might cause error.

	NOTE: This is my first web service. In future iterations, we
	will do a better job of reporting back any errors.
--->
<cftry>

	<!--- Get the current directory. --->
	<cfset thisDirectory = getDirectoryFromPath(
		getCurrentTemplatePath()
		) />

	<!--- Get the bin directory. --->
	<cfset binDirectory = (thisDirectory & "..\bin\") />

	<!--- Get the log directory (for errors). --->
	<cfset logDirectory = (thisDirectory & "..\log\") />


	<!---
		Now that we have all of our directories in place,
		let's convert the request data into XML so we can access
		its nodes.
	--->
	<cfset requestXml = xmlParse( trim( form.ideEventInfo ) ) />


	<!---
		Now that we have all of our directories in place, let's
		grab the resource node's PATH attribute from the XML post
		into the document we got from ColdFusion builder.
	--->
	<cfset resourceNodes = xmlSearch(
		requestXml,
		"//resource[ position() = 1 ]/@path"
		) />

	<!---
		From the resource PATH attribute node, we can grab the
		file path to the unecrypted ColdFusion file.

		NOTE: While ColdFusion usually doesn't care about the file
		path seperator, since we are dipping down into the command
		line, we need to make sure we are using the WINDOWS file
		path seperator.
	--->
	<cfset decryptedFile = reReplace(
		resourceNodes[ 1 ].xmlValue,
		"[\\/]",
		"\",
		"all"
		) />

	<!---
		Based on the decrypted file name, let's create an encrypted
		file name by adding ".encypted." before the file extension.
	--->
	<cfset encryptedFile = reReplaceNoCase(
		decryptedFile,
		"(.+?)(?:\.decrypted)?\.(cf(m|c))$",
		"\1.encrypted.\2",
		"one"
		) />


	<!---
		Now that we have the path to the unecrypted file and to
		the target encrypted file, we can run the source through
		the cfencode.exe command line utility.
	--->
	<cfexecute
		name="""#binDirectory#cfencode.exe"""
		arguments="""#decryptedFile#"" ""#encryptedFile#"" /v ""2"""
		timeout="5">
	</cfexecute>


	<!---
		Now that we have encrypted the file, we need to tell
		ColdFusion Builder to refresh it's project tree (since
		we have created a new file). To do that, we need to grab
		the project node.
	--->
	<cfset projectNode = xmlSearch(
		requestXml,
		"//projectview[ position() = 1 ]/@projectname"
		) />

	<!--- Store the response xml. --->
	<cfsavecontent variable="responseXml">
		<cfoutput>

			<response>
				<ide>
					<commands>

						<command name="refreshproject">
							<params>
								<param
									key="projectname"
									value="#projectNode[ 1 ].xmlValue#"
									/>
							</params>
						</command>

					</commands>
				</ide>
			</response>

		</cfoutput>
	</cfsavecontent>

	<!---
		Now, convert the response XML to binary and stream it
		back to builder.
	--->
	<cfset responseBinary = toBinary(
		toBase64(
			trim( responseXml )
			)
		) />


	<!---
		Set response content data. This will reset the output
		buffer, write the data, and then close the response.
	--->
	<cfcontent
		type="text/xml"
		variable="#responseBinary#"
		/>


	<!--- ------------------------------------------------- --->
	<!--- ------------------------------------------------- --->

	<!---
		We should NOT have made it this far. Either the request
		prcessed well and the processing is OVER; or, there was
		an error and the processing skipped directly to the
		CFCatch block of our try / catch area.
	--->


	<!--- Catch any errors. --->
	<cfcatch>

		<!--- Log the error to disk. --->
		<cfdump
			var="#[ form, variables, cfcatch ]#"
			format="html"
			output="#logDirectory##createUUID()#.htm"
			/>

	</cfcatch>

</cftry>

As you can see, this file is not doing much more than parsing the posted XML request and routing the resource file (the file the user selected when applying the extension) through the CFEncode.exe command line utility. The decryption functionality is almost identical, except that it uses the CFDecrypt.exe command line utility:

decrypt.cfm

<!---
	Param the FORM value that will contain the data posted from
	the ColdFusion Builder extension. This will be in the form of
	the following XML file:

	<event>
		<ide>
			<projectview
				projectname="EncryptDecrypt"
				projectlocation="C:/..." >

				<resource
					path="C:/.../file.cfm"
					type="file" />

			</projectview>
		</ide>

		<user></user>
	</event>
--->
<cfparam
	name="form.ideEventInfo"
	type="string"
	default=""
	/>


<!---
	Wrap the entire process around Try / Catch because it relies
	on a bunch of things that might cause error.

	NOTE: This is my first web service. In future iterations, we
	will do a better job of reporting back any errors.
--->
<cftry>

	<!--- Get the current directory. --->
	<cfset thisDirectory = getDirectoryFromPath(
		getCurrentTemplatePath()
		) />

	<!--- Get the bin directory. --->
	<cfset binDirectory = (thisDirectory & "..\bin\") />

	<!--- Get the log directory (for errors). --->
	<cfset logDirectory = (thisDirectory & "..\log\") />


	<!---
		Now that we have all of our directories in place,
		let's convert the request data into XML so we can access
		its nodes.
	--->
	<cfset requestXml = xmlParse( trim( form.ideEventInfo ) ) />


	<!---
		Now that we have all of our directories in place, let's
		grab the resource node's PATH attribute from the XML post
		into the document we got from ColdFusion builder.
	--->
	<cfset resourceNodes = xmlSearch(
		requestXml,
		"//resource[ position() = 1 ]/@path"
		) />

	<!---
		From the resource PATH attribute node, we can grab the
		file path to the ecrypted ColdFusion file.

		NOTE: While ColdFusion usually doesn't care about the file
		path seperator, since we are dipping down into the command
		line, we need to make sure we are using the WINDOWS file
		path seperator.
	--->
	<cfset encryptedFile = reReplace(
		resourceNodes[ 1 ].xmlValue,
		"[\\/]",
		"\",
		"all"
		) />

	<!---
		Based on the encrypted file name, let's create an decrypted
		file name by adding ".decypted." before the file extension.
	--->
	<cfset decryptedFile = reReplaceNoCase(
		encryptedFile,
		"(.+?)(?:\.encrypted)?\.(cf(m|c))$",
		"\1.decrypted.\2",
		"one"
		) />


	<!---
		Now that we have the path to the encrypted file and to
		the target denrypted file, we can run the source through
		the cfdecrypt.exe command line utility.
	--->
	<cfexecute
		name="""#binDirectory#cfdecrypt.exe"""
		arguments="""#encryptedFile#"" ""#decryptedFile#"""
		timeout="5">
	</cfexecute>


	<!---
		Now that we have decrypted the file, we need to tell
		ColdFusion Builder to refresh it's project tree (since
		we have created a new file). To do that, we need to grab
		the project node.
	--->
	<cfset projectNode = xmlSearch(
		requestXml,
		"//projectview[ position() = 1 ]/@projectname"
		) />

	<!--- Store the response xml. --->
	<cfsavecontent variable="responseXml">
		<cfoutput>

			<response>
				<ide>
					<commands>

						<command name="refreshproject">
							<params>
								<param
									key="projectname"
									value="#projectNode[ 1 ].xmlValue#"
									/>
							</params>
						</command>

					</commands>
				</ide>
			</response>

		</cfoutput>
	</cfsavecontent>

	<!---
		Now, convert the response XML to binary and stream it
		back to builder.
	--->
	<cfset responseBinary = toBinary(
		toBase64(
			trim( responseXml )
			)
		) />


	<!---
		Set response content data. This will reset the output
		buffer, write the data, and then close the response.
	--->
	<cfcontent
		type="text/xml"
		variable="#responseBinary#"
		/>


	<!--- ------------------------------------------------- --->
	<!--- ------------------------------------------------- --->

	<!---
		We should NOT have made it this far. Either the request
		prcessed well and the processing is OVER; or, there was
		an error and the processing skipped directly to the
		CFCatch block of our try / catch area.
	--->


	<!--- Catch any errors. --->
	<cfcatch>

		<!--- Log the error to disk. --->
		<cfdump
			var="#[ form, variables, cfcatch ]#"
			format="html"
			output="#logDirectory##createUUID()#.htm"
			/>

	</cfcatch>

</cftry>

And that's all there is to it. Like I said above, I could not get the response XML to work and refresh the ColdFusion Builder project. When I log the response, here is what I get - hopefully someone will see what is going wrong here and help me out:

<response>
	<ide>
		<commands>
			<command name="refreshproject">
				<params>
					<param key="projectname" value="EncryptDecrypt" />
				</params>
			</command>
		</commands>
	</ide>
</response>

I took this right out of the documentation and the ColdFusion Builder error log viewer doesn't tell me anything; in fact, the error log viewer in Builder seemed completely useless - it never held any errors related to my extensions. Anyway, if anyone sees something wrong with my response, please let me know.

So that's my "hello world" ColdFusion Builder extension. It took me a few hours to figure out a bunch of the little quirks, but once I got past that, this extensible functionality seems easy to create and potentially very powerful. One of the nicest things about it is that after the extension is installed, I can work directly on the installed ColdFusion files to update the extension functionality in real-time.

Want to use code from this post? Check out the license.

Reader Comments

15,798 Comments

@Terrence,

The conversion to binary is only so I can use the "Variable" attribute off of the CFContent tag (which will ensure that *only* the XML is returned and finalizes the response).

I'll take a look your translator, thanks!

32 Comments

@Ben,

I haven't tried working with this at all but here is something that came to mind.

Did you try using your variable you first create "thisDirectory" when you try to refresh the project?

such as

<param
key="projectname"
value="#thisDirectory#"
/>

15,798 Comments

@Daniel,

The "thisDirectory" variable points to the current location of the extension code, not of the project. We have to get the project information from the posted XML file.

32 Comments

@Ben,

Ya I guess I should have looked over a little more detail, some reason I thought that was coming from the file being encrypted/decrypted.

15,798 Comments

@Daniel,

Hmmm, not sure if I tried that. I wonder how that works, since I believe in CF Builder, I might not be able to get the name of the folder form the path (as it might be a shared resource or the root of the project). I'll give it a try.

167 Comments

Is this the same thing or different than cfcompile? I never get an Allaire header when I use that, it's usually a max of 3 miscellaneous looking characters.

If it is the same, is there any real way to successfully physically protect your CFML source code when distributing it?

113 Comments

@Ben,

Because I am pedantic, I just want to make sure that everyone knows there is absolutely no encryption going on. There is only encoding and obfuscation. The cfencode tool only obfuscates your CF code, as stated on {http://livedocs.adobe.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/appSecurity2.htm}.

Obfuscation merely prevents the casual person from reading your source code immediately. If someone hacked into your laptop, your version control master, or your web server to look at your source, you can bet your behind that he is perfectly able to read your obfuscated code.

But obfuscation typically has no security implications and cannot prevent anyone from understanding the file once he has access to it. Only encryption is capable of doing that, so long as a modern cryptosystem is chosen and the private keys remain safe.

The key difference is: with obfuscation, anyone with a little time and talent can easily understand and alter your source code. But modern a modern encryption algorithm, so long as it does not have gaping flaws, cannot be broken. "AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. A device that could check a billion billion (10^18) AES keys per second would require about 3×10^51 years to exhaust the 256-bit key space." {http://en.wikipedia.org/wiki/Brute_force_attack} All of the computing power in this world put together is not sufficient to check a billion billion keys per second. In other words, no matter how much time or energy or money you have, it is physically impossible to break something encrypted with AES-256 unless you already know the encryption key.

Cheers,
Justice

15,798 Comments

@Justice,

Good clarification; I was not exactly sure what the CFEncode.exe was doing. But, if the code is obfuscated, I wonder how ColdFusion knows to de-obfuscate it before compiling? Perhaps there are markers in the code that it checks for every time that it goes to compile?

113 Comments

@Ben,

I'm not sure exactly how cfencode works either. I can state for sure that, according to Adobe's docs, cfencode doesn't encrypt but only obfuscates.

The nice thing about obfuscated code is that, in most scenarios, it does not need to be "de-obfuscated." The obfuscated code can typically be run as-is, at least in the Java and .NET obfuscators I have seen, because the obfuscated code contains within it the code necessary to deobfuscate the rest of itself.

Note that 'jquery.min.js' is the obfuscated version of 'jquery.js' (minification is a form of obfuscation). Also, the 'jquery.packed.js' is also an obfuscated version of 'jquery.js'. Obviously, the files work exactly the same. But in the minified version, internal variables are renamed to something very short, because they are not part of the public API so the renames don't matter. In the packed version, there is a whole lot more going on in terms of obfuscation. In fact, in the packed version, the file contains the JavaScript code needed to unpack the rest of itself, so the browser doesn't have to do anything special - it just runs what it thinks is everyday run-of-the-mill JavaScript code.

Cheers,
Justice

15,798 Comments

@Justice,

The concept of something being able to unpack itself is pretty wild! I knew that was going on at some level, but never really thought about it conceptually. Pretty cool stuff!

27 Comments

being as you posted this in 2009, I presume the cfdecrypt works fine with CF8?
I just downloaded it from the adobe exchange and it wont decrypt anything, I just get 0 byte files.

15,798 Comments

@Russ,

Yeah, it worked with CF8. I am not sure what a zero byte file would be an indicator of. Perhaps the file you are trying to decrypt was not encrypted with the same algorithm. CF9 ships with files that were encrypted with a totally different method (if you're trying to look at some of the Service object or something).

27 Comments

@Ben Nadel,

I'm trying to decrypt some cfreport files, these are several years old so are probably cf6/7

I actually can't get any cfm files at all to decrypt, they all come out as zero byte.

15,798 Comments

@Russ,

Hmm, I've never actually had to deal with the Report builder aspects of ColdFusion. From what I hear it is kind of a beast. If these are files generated by report builder, I would *assume* that the encryption they are using is different that the "obfuscation" used in CFDecrypt.

3 Comments

Ray Camden solved this one for me (thanks Ray!). The correct attribute for the XML callback is actually:

<command type="refreshproject">

instead of name="...". So, the full snippet based on your code that works for me is here: http://pastebin.com/Jc3eBFyN

Thanks for informative post!

15,798 Comments

@Matt,

Good stuff. I had seen the RefreshProject command used once or twice but had never actually gotten it to execute in my experience. Now that I have recently switched over to Mac, which has forced me to switch over to ColdFusion Builder, I'll definitely be getting back into this stuff.

I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel