Modernize or Die® - CFML News for January 11th, 2021 - Episode 130
Gavin Pickin and Eric Peterson host the first CFML News Podcast of the year. They talked about the upcoming Webinar from Ortus, and workshop from Adobe. They discuss more updates for Log4j and another security story, on the Elephant Beetle. They also say goodbye to AngularJS which was EOL'ed at the end of 2021. They discuss the latest CFCasts content including the Into the Box 2021 videos available for free, and some upcoming conferences. They spotlight a lot of great blog posts, tweets, videos and podcasts, too many to list, so listen to the show. They announce some jobs from getCfmlJobs.com They show off the ForgeBox module of the Week - JSON-Diff By Scott Steinbeck - An ColdFusion utility for checking if 2 JSON objects have differences This week's VS Code Tip of the week is Excel Viewer - If you’re working with data, there’s a high chance that you’ll also encounter an excel spreadsheet in some form. Excel Viewer makes it easy to deal with excel data in your VS Code editor They thanked all their Patreons - they talked a little information about perks for their Patreon supporters, and a new option, Annual Memberships with a discount. For the show notes - visit the website https://cfmlnews.modernizeordie.io/episodes/modernize-or-die-cfml-news-for-january-11th-2021-episode-130 Music from this podcast used under Royalty Free license from SoundDotCom https://www.soundotcom.com/ and BlueTreeAudio https://bluetreeaudio.com
Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ
Gavin Pickin - Senior Software Developer for Ortus Solutions
Eric Peterson - Senior Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
Upcoming Ortus Webinar - cbwire + Alpine.js with Grant Copley
January 28, 2022 - 11:00 AM CT - Central Time (US and Canada)
Register today: https://www.ortussolutions.com/events/webinars
Log4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jars
Adobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Other libraries like Spreadsheet-CFML have updated as well.
Note: Log4j2 Support in lucee 5.3 is coming along for 5.3.9
‘Elephant Beetle’ Lurks for Months in Networks
The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.
More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST
AngularJS EOL’ed 12/31/2021
As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.
In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.
CFCasts Content Updates
- Into the Box 2021 are now all FREE - https://cfcasts.com/series/into-the-box-2021
- Into the Box LATAM
Send your suggestions at https://cfcasts.com/support
Conferences and Training
VueJS Nation Conference
Online Live Event
January 26th & 27th 2022
Register for Free
Need more conferences, this site has a huge list of conferences for almost any language/community.
Blogs, Tweets and Videos of the Week
Tweet - Adam Cameron - TIL something new about CFOUTPUT
I cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `<cfoutput encodefor="html">` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.
Tweet - James Moberg - Microsoft taking log4j stuff seriously.
While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfml
Blog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFML
Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.
2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)
Tweet - Zac Spitzer - Show some love for the VS Code CFML Extension
Awesome to see some activity on the vscode-cfml extension, a new minor release coming soon.
If you use it, please show some love and star the repo
#lucee #coldfusion #cfml
When consuming an API, you should always create an API client…
Blog - Ben Nadel - Showing A Comment Preview As You Type On This Blog
Since comments, on this blog, are authored using Markdown (and ColdFusion), there is a delta between what you write in the intake form and what is eventually rendered in the HTML. Much of the time, this delta is expected; however, if you have small errors in your markdown syntax, you can end up with HTML that does not reflect what you had intended to publish. To help narrow the gap between input and output, I've added a comment preview functionality to this blog.
Blog - Ben Nadel - Mitigating Cross-Site Scripting (XSS) Attacks With A Strict Content Security Policy (CSP) In ColdFusion 2021
As I continue to evolve my blogging platform, bringing it into the modern ColdFusion era, I'm trying to catch up on best practices. Of course, I've always used SQL query parameterization to block SQL injection attacks. And, I use encodeForHtml() and encodeForHtmlAttribute() in as many places as is feasible. And when converting user-provided markdown into HTML, I use the OWASP Anti-Samy project to sanitize the HTML output. But, one thing I've never had is a Content Security Policy (CSP). A CSP is yet another line-of-defense in the war against Cross-Site Scripting (XSS) attacks.
CAUTION: I Am Not A Security Expert
Blog - Ben Nadel - preserveCaseForStructKey Doesn't Work Inside Application.cfc In Adobe ColdFusion 2021
Over the New Year's holiday, I ran into a rather peculiar behavior regarding the preservation of key-casing and the serializeJson() function in Adobe ColdFusion 2021. It appears that the serialization setting for preserveCaseForStructKey doesn't apply to code that resized physically within the Application.cfc life-cycle event handlers. To demonstrate this, we can setup a simple demo in which we serialize data across the event handlers and then dump-out the response:
Blog - Ben Nadel - Posting Comments Using Reply Emails And Postmark's Inbound Streams In ColdFusion 2021
I've been a very happy Postmark customer for the last decade. Their SMTP and API services make sending and receiving emails absurdly simple. And, their Inbound webhooks allow you to treat Postmark as a reverse proxy that transforms inbound email delivery into API calls (webhooks) against your own servers. I've been wanting to use this feature on my blog forever; however, I was always afraid that it would lead to massive abuse. That said, in response to a recent spam attack, I was forced to add comment moderation. Which means, I can safely start playing with reply-based comment posting using Postmark's Inbound stream!
Blog - Ben Nadel - Centralizing The Error Response Handling For My ColdFusion Blog
If you've noticed that my blog has been quite quiet over the last few weeks, it's because I've dedicated December to modernizing and upgrading my blogging infrastructure. The refactoring has been extensive, to say the least; and, on the list of things that I've wanted to for a long time is centralizing my error response handling in my ColdFusion code. It took me several days to find, factor-out, and normalize my errors; but, I think I have it at a point that I can easily refine and evolve going forward.
Several positions available on https://www.getcfmljobs.com/
Listing over 256 ColdFusion positions from 111 companies across 131 locations in 5 Countries.
7 new jobs listed
Contract - CFML Developer at Remote - United States
Full-Time - Software Developer - ColdFusion at Overland Park, KS - United States
Full-Time - IT Engineer Applications (Coldfusion developer/admin) : 19-0.. - United States
Full-Time - Senior Coldfusion Developer |LATAM| at Colon, PA - United States
Full-Time - ColdFusion Developer at Virtual, US - United States
Full-Time - Remote Software Developer (Cold Fusion) at Mississauga, ON - Canada
Full-Time - Fresh Software Engineer ( For ColdFusion Only) at Ahmedabad,.. - India
ForgeBox Module of the Week
By Scott Steinbeck
An ColdFusion utility for checking if 2 JSON objects have differences
Call JSONDiff.diff to get a detailed list of changes made between the JSON objects.
Call JSONDiff.isSame to get a simple boolean true or false.
VS Code Hint Tips and Tricks of the Week
If you’re working with data, there’s a high chance that you’ll also encounter an excel spreadsheet in some form. Excel Viewer makes it easy to deal with excel data in your VS Code editor by formatting long and comma-separated strings into a tabled format. This can work wonders for your .csv, .tsv, and .tab extensions.
Funny link: https://twitter.com/dawntraoz/status/1479490317766336518
Thank you to all of our Patreon Supporters
These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox, ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox.
You can support us on Patreon here https://www.patreon.com/ortussolutions
Now offering Annual Memberships, pay for the year and save 10% - great for businesses.
- Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription.
- All Patreon supporters have a Profile badge on the Community Website
- All Patreon supporters have their own Private Forum access on the Community Website
- John Wilson - Synaptrix
- Eric Hoffman
- Gary Knight
- Mario Rodrigues
- Giancarlo Gomez
- David Belanger
- Jonathan Perret
- Jeffry McGee - Sunstar Media6
- Dean Maunder
- Joseph Lamoree
- Don Bellamy
- Jan Jannek
- Laksma Tirtohadi
- Carl Von Stetten
- Dan Card
- Jeremy Adams
- Jordan Clark
- Matthew Clemente
- Daniel Garcia
- Scott Steinbeck - Agri Tracking Systems
- Ben Nadel
- Mingo Hagen
- Brett DeLine
- Kai Koenig
- Charlie Arehart
- Jonas Eriksson
- Jason Daiger
- Jeff McClain
- Shawn Oden
- Matthew Darby
- Ross Phillips
- Edgardo Cabezas
- Patrick Flynn
- Stephany Monge
- Kevin Wright
- Steven Klotz
You can see an up to date list of all sponsors on Ortus Solutions' Website
Switch to Modernize or Die ® Podcast - SoapBox Edition - Switch to Modernize or Die ® Podcast - Conference Edition
Music from this podcast used under Royalty Free license from SoundDotCom and BlueTreeAudio© 2019 Ortus Solutions