当前位置: 文江博客 话题详情

您将哪些安全脚本/代码添加到 application.cfm 中?

发布于 2024-09-26 05:08:02 字数 1537 浏览 4 评论 0 原文

我正在重做我们公司的代码,我希望有一个清晰、易于阅读且相当安全的 application.cfm。

不,我们没有使用 application.cfc。所以我们不要讨论这个问题了。

只是想知道为了安全起见您会添加哪些脚本。

我正在使用 Coldfusion 8 标准,sql 2008。

这是我当前使用的脚本之一,但我想听听其他一些 Coldfusion 程序员的意见。

<cfset temp = cleanScopes('form,url') />

<!--- another method to clean url/form data from http://www.garyrgilbert.com/tools/coldfusion/cleanScopes.cfm.txt --->
<cffunction name="cleanScopes" access="public" returntype="void">
    <cfargument name="scopesToClean" type="string" required="yes">
    <cfargument name="charlist" type="string" required="no" default="">
    <cfscript>
        reTags ="<[^/>]*>|</.*>";
    </cfscript>
    <cfloop list="#scopestoClean#" index="scopeName">
    <cfif not findnocase("multipart/form-data",cgi.CONTENT_TYPE)>
        <cfscript>
            s=Evaluate(scopeName);
            for(field in s)
                if (isSimpleValue(s[field])){
                    if(reTags neq '')
                        do { prev=s[field];
                                s[field]=REReplaceNoCase(s[field],reTags,"","ALL");
                            } while (prev NEQ s[field]);
                        structUpdate(s,field,prev);
                        if (charlist neq '')
                            s[field] = replacelist(s[field],charlist,'');
                }
        </cfscript>
    </cfif>
    </cfloop>
    <cfreturn>
</cffunction>

感谢您抽出时间。

原文

I am working on redoing our company's code, and I want to have a clear, easy to read, and reasonably secure application.cfm.

And no, we are not using application.cfc. So let's not discuss that please.

Just want to know what scripts you would add for security.

I am using coldfusion 8 standard, sql 2008.

Here is one of the scripts I am currently using, but I want to hear from some other coldfusion programmers.

<cfset temp = cleanScopes('form,url') />

<!--- another method to clean url/form data from http://www.garyrgilbert.com/tools/coldfusion/cleanScopes.cfm.txt --->
<cffunction name="cleanScopes" access="public" returntype="void">
    <cfargument name="scopesToClean" type="string" required="yes">
    <cfargument name="charlist" type="string" required="no" default="">
    <cfscript>
        reTags ="<[^/>]*>|</.*>";
    </cfscript>
    <cfloop list="#scopestoClean#" index="scopeName">
    <cfif not findnocase("multipart/form-data",cgi.CONTENT_TYPE)>
        <cfscript>
            s=Evaluate(scopeName);
            for(field in s)
                if (isSimpleValue(s[field])){
                    if(reTags neq '')
                        do { prev=s[field];
                                s[field]=REReplaceNoCase(s[field],reTags,"","ALL");
                            } while (prev NEQ s[field]);
                        structUpdate(s,field,prev);
                        if (charlist neq '')
                            s[field] = replacelist(s[field],charlist,'');
                }
        </cfscript>
    </cfif>
    </cfloop>
    <cfreturn>
</cffunction>

Thank you for your time.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

成熟稳重的好男人 2024-10-03 05:08:02

我建议不要试图以全球时尚的方式捕捉一切。无论您的全局保护代码变得多么复杂和错综复杂,都不可避免地会有一些事情被遗漏。

相反,“正确”(就其价值而言)方法是在输出期间清理页面(或电子邮件等)上呈现的所有内容,这些内容最初是作为用户输入而存在的。

也就是说,请查看 OWASP。他们拥有出色的库来防御各种攻击,包括您提到的各种攻击(sqli、xss、crlf)。我的一位同事最近将其中一些库封装到了 CFC 中,我们可以在应用程序中使用它,并在我们的开发者博客上解释了如何使用它

反萨米

如果您的应用程序接受用户生成的 HTML(例如博客评论),您需要确保清理输入以防止 XSS 攻击。您不希望有人能够在您的博客评论中输入恶意代码,因此您需要某种方法来过滤输入。输入 AntiSamy。 AntiSamy 允许您根据其术语策略轻松过滤用户生成的 HTML。 AntiSamy 是一个 Java 项目,因此我将其打包到 CFC 中,以便于从 ColdFusion 中使用。

使用 AntiSamy 的最简单方法是创建 AntiSamy 组件 (cfc.owasp.AntiSamy) 的实例并在输入上调用 getCleanHTML() 方法。

/>;
 >

这将使用默认(相当宽松的)策略文件运行 AntiSamy 并返回干净的 HTML 标记。

ESAPI 编码器

我从 OWASP 项目引入的下一个库是 ESAPI 编码器。同样,这是一个 Java 项目,我将其包装在 CFC 中以便于使用。除了 ColdFusion 包含的方法之外,编码器还提供了多种编码方法。一些更有用的方法包括encodeForJavaScript()、encodeForHTMLAttribute() 和encodeForCSS()。使用该组件非常简单,只需实例化它并调用适当的方法即可。

 />
测试") //>

该库提供的一个非常有用的方法是规范化方法。 ESAPI 编码器测试版的文档很好地描述了此方法的作用。

然而,如果你坚持采用全球解决方案,为什么要重新发明轮子呢?为什么不尝试一下FuseGuard之类的东西。这个价格可能低于用于拼凑、调试和处理突破本地系统的安全问题所花费的开发时间的成本。

I would advise against attempting to catch everything in a global fashion. There will inevitably be a few things that slip through the cracks, no matter how complex and convoluted your global protection code gets.

Instead, the "correct" (for what it's worth) method is to sanitize all content being presented on a page (or in an email, etc) -- during output -- that began its life as user input.

That said, take a look at OWASP. They have excellent libraries for protecting from all kinds of attacks, including the various ones you mention (sqli, xss, crlf). A coworker of mine recently wrapped up some of those libraries into a CFC that we can use in our applications, and explained how to use it on our developers blog:

AntiSamy

If your application accepts user generated HTML, say blog comments for example, you need to make sure you sanitize your input to prevent XSS attacks. You wouldn’t want someone to be able to enter malicious code in your blog comments so you need some way to filter the input. Enter AntiSamy. AntiSamy allows you to easily filter user generated HTML according to what it terms policies. AntiSamy is a Java project, so I have packaged it into a CFC for easy use from ColdFusion.

The simplist way to use AntiSamy is to create an instance of the AntiSamy component (cfc.owasp.AntiSamy) and call the getCleanHTML() method on the input.

<cfset antisamy = CreateObject("component","cfc.owasp.antisamy") />
<cfset cleanHTML = antisamy.scan(form.someInput) />

This will run AntiSamy with the default (fairly permissive) policy file and return the clean HTML markup.

ESAPI Encoder

The next library I’ve brought over from the OWASP project is the ESAPI Encoder. Again this is a Java project which I have wrapped in a CFC for easier use. The encoder provides several methods for encoding beyond those included with ColdFusion. Some of the more useful methods include encodeForJavaScript(), encodeForHTMLAttribute(), and encodeForCSS(). Using the component is pretty straight forward, just instantiate it and call the appropriate method.

<cfset encoder = CreateObject("component","cfc.owasp.Encoder") />
<cfset html = encoder.encodeForHTML("<body onload=""alert('XSS')"">Test</body>") />

One very useful method this library provides is the canonicalize method. The documentation from the beta version of the ESAPI Encoder gives a good description of what this method does.

However, if you insist on a global solution, why reinvent the wheel? Why not try out something like FuseGuard. The price is probably less than the cost of the development-hours that would be spent cobbling together, debugging, and dealing with security problems that break through your home-grown system.

回复 原文
醉态萌生 2024-10-03 05:08:02

就我个人而言,我不太确定这种“全球”方法是最好的。我检查接受外部数据的所有模型中的所有传入数据,并针对每种情况使用特定的验证规则。所以额外的层看起来有点多余。

此类脚本不会保护您将字符串放入传递到 URL 的数字 ID 中——您必须以任何方式检查它。您必须以任何方式在视图中使用 HTMLEditFormat/XMLFormat,等等。

CFScript 的 PS 列表循环:

for (i=1; i LTE ListLen(scopestoClean); i++) {
    scopeName = ListGetAt(scopestoClean,i);
    //... following code
}

Personally, I'm not really sure this "global" approach is the best. I check all incoming data in all models that accept external data, with specific validation rules for each situation. So additional layer looks overkill.

Such scripts wont protect you from putting string into the numeric id passed into the URL -- you have to check it any way. You have to use HTMLEditFormat/XMLFormat in the views any way, and so on.

P.S. List loop for CFScript:

for (i=1; i LTE ListLen(scopestoClean); i++) {
    scopeName = ListGetAt(scopestoClean,i);
    //... following code
}
回复 原文
~没有更多了~

关于作者

咿呀咿呀哟

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文