Archive for category ColdFusion

ColdFusion: XSS Vulnerability in SerializeJSON()

There is a minor vulnerability in ColdFusion’s SerializeJSON() method. ColdFusion fails to escape object keys correctly.

Here is a typical example of the expected way to use SerializeJSON():

The output of this is:

The bug is that object keys are not properly escaped, so if you have an object such as a Struct with a specially designed key, you can inject javascript code where it was not intended:

The result of which is:

As you can see, the generated javascript will be parsed by the browser successfully – except where we only intended to communicate data, we instead executed a function.

So what’s the danger?
The problem is that some users may wish to give easy access to GET and POST (URL/FORM) variables to their client-side javascript – maybe some of these parameters affect how you output data for example. If you just SerializeJSON() the URL or FORM variable, then you may unintentionally be allowing user-supplied data to execute in your page context, which can result in cookie stealing, malicious script injection, and other nasty things like that, by the user including javascript code as the name of a URL argument. Actually exploiting that takes some creativity due to ColdFusion automatically upper-casing URL keys, but that’s a one-time exercise which I’ll leave for the reader (sorry script kiddies).

SerializeJSON() should be safe, it should only create a JavaScript object which represents the data, and should not allow for script injection. The fix for Adobe would be incredibly simple; all they would have to do is escape object keys the same way they already escape output strings.

No Comments

ColdFusion: SerializeJSON() Recursion Error

In ColdFusion 8, Adobe introduced a new function called SerializeJSON(), which takes a single object of just about any type and returns a JSON representation of that object and its properties.  This can include objects which are not native ColdFusion types such as a Java object, and it does a respectable job of figuring out values for this object to include in the JSON by automatically and recursively including the values of any zero-parameter methods which start with ‘get’ such as ‘getName(),’ ‘getAddress(),’ etc.

In theory this works well because for essentially no additional effort, you can send a JavaScript representation of this class down to the browser and interact with it there.

There are a number of shortcomings to this approach though, not the least of which is the inability to filter what properties of a Java object are exposed to the browser when serializing it.  Sometimes objects have sensitive data stored in them which you do not want to expose.  For example if you had a page which details a user’s profile, and you store the properties of this user in a Java bean, you cannot simply pass the same copy of the user object down to the browser through SerializeJSON() as you might be tempted, as this may contain sensitive values such as getPasswordHash() or getAdministrativeNotes() (something I use in  to keep private notes on users especially for when a user has a history of abusive behavior).

However there’s an outright bug in the serialization routine which is essentially unrecoverable if you encounter it.  We first discovered it at work when working with a Java enum data type; having a getter or property whose value was a Java enum will cause you to get a stack overflow exception.  For example:

If you create an instance of this object, you can see the error:

This actually fails on a level that a normal try/catch cannot recover from it. The only way to see the actual error is to handle the error from an Application.cfc onError() method. Here is the error:

The problem is that enums are actually for the most part a java sub-class which have public final static properties for each of the possible enum values. ColdFusion is attempting to serialize the public final static property which is the same class as itself, and this ends up creating a circular reference as far as ColdFusion is concerned. It’s not actually a circular reference in the traditional sense; static class properties are not subject to reference counters and garbage collection – they are part of the permanent generation in Java. The “circular” reference is also created by the compiler and are an endemic aspect of enums.

As already stated, the problem is not limited to java enums, that’s just the first place we noticed it. Common Java design patterns like the Singleton pattern will raise this error as well, if the singleton accessor begins with ‘get’ or the static instance is public:

What can be done to fix it? From an implementation perspective you would have to change your object interface to avoid the problem as it exists today in ColdFusion 8. Essentially you need to be sure that there are no getters or public static properties which may back-reference to the owning class. If you require such, you must put them behind a getter instead of a public static property, and you must also make sure that getter doesn’t start with ‘get’. Essentially you have to kludge the crap out of your Java objects.

From Adobe’s perspective they need to detect a recursion loop and avoid it. Alternately they could provide a way to overload the JSON output for a java object (eg if they test for the existence of a toJSON() method and use its output instead of constructing the object properties themselves). Ideally they would do both, but although this latter approach would offload much of the work to individual developers, it would also give the develoer a way to filter the properties which were output as part of the JSON implementation of an object. The developer could even create flags on the object that allow them to select from several sets of specific properties as necessary (for example, setJSONPrivilege(PUBLIC | PRIVATE) ).

No Comments

ColdFusion: Using Java Beans

A while back we were working on a huge new website in ColdFusion which was a rearchitecture of an extremely mature but very worn out code base. One of the biggest things we wanted to do was adopt a substantially more object oriented approach to development as the original site was started in the ColdFusion 4.5 days.

However we very quickly ran into the problem that many ColdFusion developers have faced (in fact there was even a session on this exact subject at CF.Objective() this year). ColdFusion objects have a substantial overhead to instantiation. Java programmers create hundreds or thousands of disposable objects for even fairly simple tasks. They create objects for things they don’t even realize they’re creating objects for (ints, Booleans, Strings, even lots and lots of Char objects as a string has a Char array in it with one object for each character in the string).

ColdFusion developers can’t be so cavalier with their object creation though. Of course under the surface of ColdFusion is its Java runtime, and so there are plenty of Java objects created under the hood, but when it comes to ColdFusion components, you really need to limit how many you create.

If you try a traditional bean approach to programming in ColdFusion (one data container object for each distinct thing you’re working with – eg one for each query row in a result set), you’ll discover that your application quickly crawls to a halt under any serious load. ColdFusion simply cannot afford the overhead of creating so many components.

There are two main approaches to solving this problem. One is aggressive use of caching of components, and sharing components between users. This is not really a bean approach, at best it could be considered “inspired by,” and it raises quite a few complications of its own, including increased memory footprint, and dangers introduced when one user is modifying a shared object while other users are using it.

The other (and the one I prefer, but it’s a bit less convenient) is to create your beans in Java. Here is a simple bean:

The advantage of this approach is that you can create tons and tons of disposable copies of this object with very little performance penalty. In fact it should be no more expensive than creating a Struct of properties – but you get the benefit of type safety and guaranteed properties. You can also add convenience functions like:

This way you can:

and get “A 1999 Chevy Cavalier. This was not my first car.” as your output.

Coming soon:

  • How to build and bundle your beans
  • Using the Java enum construct for enumerable properties

No Comments

CF.Objective() So Far

So far I’ve been to two really good sessions at CF.Objective(). The first I was dubious about, “Indiana Jones and the Server of Doom,” but I actually learned some things about low-level memory management within ColdFusion, and I can definitely say I’ve got something new to check out on production boxes when I get back to the office. I’ll post more on that later.

Also the session from Adobe where they were highlighting server administration in the upcoming ColdFusion 9 was fantastic. It’s almost like they took a list of the things which cost the most time when maintaining servers today, and created all-new functionality to make managing this much easier. I’m very excited by this, things that are being manually configured on many, many instances today will be able to be rapidly and widely deployed when ColdFusion 9 (Centaur) comes out.

As with all conferences there are going to be times when there’s not much directed at your skill level. This is because there are people of all walks here, from new developers to seasoned experts. I fall somewhere in between, and so I’m doing pretty well on finding good sessions overall.

Next up: Advanced Subversion Techniques (”Subversion for Smarties”).  Here’s hoping it’s not review =)

, ,


ColdFusion Ordered Struct

As most readers probably already know, in ColdFusion, structs are associatively keyed storage structures similar to an array but where you get to use a string to key an entry rather than only a sequential number.

PHP only has array() which acts both like ColdFusion’s array and struct both. You can numerically key arrays or associatively key them, or both. One of the reasons it can get away with this is that it preserves the insert order. So if you do:

The output will be the values in the same order they were put into the structure. If you do the same thing in ColdFusion, you’ll get it back in a seemingly random order (or depending on the version some times you’ll get back in alphabetical order):

Instead if you need to preserve insert order, you can use a similar Java object from ColdFusion:

You can treat this like a struct in every way, including <cfdump>ing it (though cfdump will not show you the insert order for some reason). As you iterate over it, the contents will always come back in the same order they were inserted.

It’s important to note that LinkedHashMap keys are also case-sensitive while ColdFusion Struct keys are case insensitive. This may cause undesired results as you might have two keys that you believe are the same but differ in case; this may cause collisions when working with other objects that are not case sensitive.

, ,


CF.Objective() Here I Come

Heading off to Minneapolis tomorrow morning for CF.Objective().  This is the first conference I’ve been to in a while.  Hoping we get to hear some about the next version of ColdFusion and the Bolt IDE (I’ve played with it some; I can’t say a lot, but I can say that it’s got some fanstastic features).

No Comments

ColdFusion Including Sub-Applications

Ben Nadel has an interesting question on his blog about including sub-applications from within an existing CF application, and having the relevant sub-level Application.cfc fire off.

This is doable in a fairly simple manner but which relies on a barely-documented feature of ColdFusion, and the fact that the sub-level Application.cfc fires is completely undocumented, and may even be unintentional!

Here’s how you can do it, but because we’re wandering into a pretty hazy gray area here, I wouldn’t go using this unless you don’t have much other choice.


Then you can do the below and if it has an Application.cfc, that application.cfc will be invoked.

The caveat though is that CGI scope will still contain the variables from the source page – for example, CGI.SCRIPT_NAME will still be the script name in the URL. As a result, context-sensitive functions like ExpandPath() will operate relative to the root file being called – meaning you might not get the results you’re expecting.

Also the code above will only work 1 sub-application level deep; you’d have to tweak it if you wanted a sub-application within a sub-application, but by that point, zounds, what are you doing man?!?

The good news is that even if the sub-application executes a <cfabort>, execution will return to the calling page, so that sub-app can’t abort your own page.

, ,


Relative CFLoop Performance for Various Loop Structures


Jim over at Ben Nadel’s blog made the assertion that looping a list is faster than looping a struct.  It’s an interesting assertion that looping a list would be faster than looping an array.  I did a test of my own to find out.


Starting with objects with 1 entry populated, I increased the number of populated entries by 1,000 until I reached 100,001 entries in each of an Array, a List, and a Struct.

I also compared the following syntaxes:
<cfloop array=”myArray” index=”x”>
<cfloop from=”1″ to=”#ArrayLen(myArray)#” index=”x”>
<cfloop collection=”#myStruct#” item=”x”>
<cfloop from=”1″ to=”#StructCount(myStruct)#” index=”x”>
<cfloop list=”myList” index=”x”>
<cfloop from=”1″ to=”#ListLen(myList)#” index=”x”>

For each type of test, I did a <cfsavecontent> to cfoutput the relevant entries from each object without causing a ton of data to be sent back to the browser.  The actual <cfloop> and output was tight (all on one line to minimize the total content going to cfsavecontent).

I ran each incremental test 10 times to get an average duration.  I did this because my in my earliest tests it was obvious that garbage collection was causing significant variance (shorter tests often took longer than their longer brethren).  Even still it’s obvious garbage collection played a bigger factor in efficiency than the actual test results, making them somewhat difficult to decipher meaningfully.


Early on, I dropped the final test (which involved ListGetAt() for the output portion) since while the others were still taking a few milliseconds, this test was already taking multiple seconds.

It should be no surprise that 1 entry of each took no measurable time (getTickCount() had not incremented).

At 10,001 entries, <cfloop array> and <cfloop list> took 5 and 4 milliseconds respectively, but at 11,001 (the next level up), it was 3 and 7 milliseconds respectively – neck and neck, looking in favor of <cfloop array>.  <cfloop ArrayLen()> was taking 9 and 6 seconds, <cfloop collection> 21 and 17 seconds, and <cfloop StructCount()> waas taking 21 and 14.  At this level we could say <cfloop array> and <cfloop list> were close, while the others were not.

At 50,001 entries, <cfloop array> and <cfloop list> are still neck and neck.  They reported identical times of 11.00 milliseconds.  <cfloop ArrayLen()> weighed in at 56.10ms, <cfloop collection> at 126.2ms, and <cfloop StructCount()> at 91.2ms.

By the final test of 100,001 entries, <cfloop array> and <cfloop list> had finally started to show a real difference.  <cfloop array> pulled ahead as the clear winner, with at least a 10ms margin on all but one of the the 10 tests leading up to 100,001.

Cfloop Performance Comparison
(Click for full version)

So what causes such a performance difference?

<cfloop ListLen()> was the clear loser by a wide margin.  ListGetAt() is horribly inefficient.  Each time you call it, it has to consume the string from the start, counting delimiters until it reaches position-1, then continue consuming until it reaches position.  This is no surprise at all.

<cfloop collection> was the clear next-to-last-place loser.  The most likely reason for this to me is that internally it needs to loop over some other type of object (in this case, most likely an array of struct keys), then needs to do a lookup within the actual structure itself (a HashMap of some form).

<cfloop StructCount()> came next.  This was a bit of an non-real world scenario.  We didn’t have to loop over a collection of struct keys, we knew what the struct keys were and were able to perform the loop itself in a faster fashion than looking up keys.  But to output the value, we still needed to do HashMap lookups on the keys themselves.

<cfloop ArrayLen()> won the bronze.  Seems to me that this is because we have to do a positional lookup to output the value for each entry.  That shouldn’t be huge because internally this should be represented as a vector of pointers to the actual entries, and since each vector has a fixed memory size, we take ArrayMemoryStartPoint + position * sizeof(vector).  Well, would be nice if that’s the case, but it’s not quite that simple since these arrays are dynamically sized.  We actually have to do a bit of work with a table of memory references, blah blah blah.  Point is we have to do a lookup (albeit cheaper than a struct lookup) to find the correct entry.

<cfloop list> took the silver.  This makes sense, the iterator involved in the cfloop can remember where it left off, and each time through the loop only has to consume up to the next delimiter.  It knows what the index of the previous delimiter is, and so the only lookup it has to do at all is collecting the characters from offset A to offset B (which it could actually have kept track of while it was consuming).

<cfloop array> took the gold, but not by a large margin.  This also makes sense because it has the same sort of performance gain that <cfloop list> has (already knowing its current offset for the next time through the loop), and all it has to do is return a pointer to the next element in the vector.  The vector iterator handles this stuff at a lower level and is able to make the best use of its own internal structures to make this as fast as possible.


<cfloop array> and <cfloop list> are pretty interchangeable even though the former wins the contest.

All of this being said, we are still looking at loop overhead of less than 300 milliseconds even for the slowest (other than <cfloop ListLen()>) loop type for 100,000 records.  This is incredibly trivial overhead for that amount of data.  So in reality which type you use probably depends more on what structures you’re already using – trying to convert to a different data container for your loop will probably cost you as many or more cycles than using the native loop type associated with wherever your data currently is.

, , , ,


CFThread and dividing up work

CFThread is a wonderful addition to ColdFusion 8. It lets you perform parallel actions within your code. However, parallel programming is a complex beast under the best of circumstances.

One of the early things to realize in CF8’s threading support is that it makes a deep copy of the local variables (ala Duplicate()) when you start the thread. In this way you have a lot of thread safety, you can access and change even variables defined outside the thread space, and you really have a copy of that variable local to your thread. You don’t have to worry about other threads changing the value while you’re using it, and you don’t even have to worry about goofing it up for the parent page (the page thread).

Dividing Up the Work
A common use for threading is to divide up a lot of work so that it can be done in parallel. For example, let’s say you have a script which aggregates RSS feeds from 1,000 external sites. All that HTTP stuff is pretty quiet work, you spend a lot of time waiting for responses and the like. It’s a good candidate for parallelizing the work.

With 1,000 requests to make, it’s not a good idea to just create 1,000 threads – you’ll tie up a lot of TCP connections on your server, plus you’ll use up a lot of memory (remember, each thread is going to operate in its own memory space). So let’s decide somewhat arbitrarily that we’re only going to run 10 requests in parallel.

// How many feeds will each thread handle?
eachThreadDoesCount = ceiling(ArrayLen(feedURLs) / parallelThreads);

threadID – 1) * eachThreadDoesCount + 1>
threadID * eachThreadDoesCount, ArrayLen(feedURLs))>

Looks pretty easy, eh? There’s a critical error there though which is not obvious even by Adobe’s documentation. I’ve bolded it for you. This will end up with the earliest URLs getting fetched numerous times, and the later URLs not getting fetched at all.

The reason for this has to do in some way with how ColdFusion initiates its threads under the hood. To me, it looks like when tag is encountered, it actually spawns an initial thread to do the local variable copying. All threads which are started before this initial thread finishes the copying will get an identical set of local variables – this includes the threadID variable used in the loop. I’m not certain if that’s actually what’s going on under the hood, but the behavior is similar as if that is the case. In any event, you cannot rely on variables changed by the parent page (”page thread” by Adobe’s documentation) appearing in your cfthreads, even if that change was made before your specific thread was launched, but after the initial thread was launched.

It seems bizarre, but let me give you a piece of sample code which demonstrates it. This code is non-deterministic for me – that is to say some times I see a “correct” result, but then I immediately refresh it and get a different result.

Here you should see each worker thread having a unique loopID. Instead, for example, my code shows Worker 1 has a loopID of 1, Worker 2 = 2, Worker 3 = 3, Worker 4 = 4, but Workers 5 through 20 have a loopID of 5. If I refresh, it’s different. I’ve seen all 20 workers starting with a loopID of 1, and I’ve seen the first fiew having a loopID of 1, then the next few having a loopID of 5, then the next few having a loopID of 8, etc.

So how do you safely determine which worker you are so you know which of the set of work you should be doing? The answer, as Ray posted in a comment (and contrary to my more elaborate work-around involving locking), is to use the attributes scope:

Basically the idea is you can pass additional custom attributes to and these show up as values in a structure named “attributes” available only within the scope of your thread.



ColdFusion 8.0.1 – Nested Array/Struct Shorthand

As you probably know, ColdFusion 8 gave us a long-needed shorthand for creating arrays and structures:

Unfortunately you couldn’t nest those constructs. With the 8.0.1 updater though, you now can:

This is fantastic when you’re trying to make configurable code – a chunk of code whose basic function is tweakable by updating a few settings variables at the top instead of hard-coding them in throughout the code (for example – URLs, filesystem paths, data sources, etc).

No Comments