2022-01-11 Weekly News - Episode 130

Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ


Hosts:
Gavin Pickin - Senior Software Developer for Ortus Solutions
Eric Peterson  - Senior Software Developer for Ortus Solutions

Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. 
A few ways  to say thanks back to Ortus Solutions:

Patreon Support

We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.



News and Events


Upcoming Ortus Webinar - cbwire + Alpine.js with Grant Copley

January 28, 2022 - 11:00 AM CT - Central Time (US and Canada)
In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.
Register today: https://www.ortussolutions.com/events/webinars



Log4j Updates

Log4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jars
Adobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Other libraries like Spreadsheet-CFML have updated as well.
Note: ​Log4j2 Support in lucee 5.3 is coming along for 5.3.9



‘Elephant Beetle’ Lurks for Months in Networks

The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang’s bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.
https://threatpost.com/elephant-beetle-months-networks-financial/177393/?fbclid=IwAR0ytUYx0IOxiNXIUE1jHvqDV0ltP_hBf7XCdEyLEYHfSaKadwf01xPkHLI


Adobe Workshops

More Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx
2 dates announced:
February 2, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

March 09, 2022
9.00 AM - 4.30 PM CET
1.30 PM - 9.00 PM IST

https://cf-workshop.meetus.adobeevents.com/



AngularJS EOL’ed 12/31/2021

As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.
In this article, we’ll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.
https://www.thisdot.co/blog/why-you-should-consider-migrating-from-angularjs-to-vue



CFCasts Content Updates

https://www.cfcasts.com 

Just Released

Coming soon

Send your suggestions at https://cfcasts.com/support




Conferences and Training


VueJS Nation Conference

Online Live Event
January 26th & 27th 2022
Register for Free
https://vuejsnation.com/



More conferences
Need more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/



Blogs, Tweets and Videos of the Week


Tweet - Adam Cameron - TIL something new about CFOUTPUT
I cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `<cfoutput encodefor="html">` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.
https://cfdocs.org/cfoutput
https://twitter.com/adam_cameron/status/1480624980668915716
https://twitter.com/adam_cameron


Tweet - James Moberg - Microsoft taking log4j stuff seriously.
While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfml
https://twitter.com/gamesover/status/1476347523245694984
https://twitter.com/gamesover


Blog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFML
Here are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.
2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)
https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17


Tweet - Zac Spitzer - Show some love for the VS Code CFML Extension
Awesome to see some activity on the vscode-cfml extension, a new minor release coming soon.
If you use it, please show some love and star the repo
https://github.com/KamasamaK/vscode-cfml
#lucee #coldfusion #cfml
https://twitter.com/zackster/status/1476206001384828929
https://twitter.com/zackster


Blog - Ben Nadel - Building An API Client With The fetch() API In JavaScript
In my continued effort to modernize this blog, I'm thinking about trying to replace the jQuery library with more modern techniques. I don't personally have anything against jQuery; but, by replacing it, I'll have an opportunity to learn newer - and hawter - JavaScript APIs (at the expense of robust browser support). Case in point, I want to replace the jQuery.ajax() method with a fetch()-based API client. I've never used the fetch() method before; so, this will be an exciting exploration!
When consuming an API, you should always create an API client…
https://www.bennadel.com/blog/4179-building-an-api-client-with-the-fetch-api-in-javascript.htm


Blog - Ben Nadel - Showing A Comment Preview As You Type On This Blog
Since comments, on this blog, are authored using Markdown (and ColdFusion), there is a delta between what you write in the intake form and what is eventually rendered in the HTML. Much of the time, this delta is expected; however, if you have small errors in your markdown syntax, you can end up with HTML that does not reflect what you had intended to publish. To help narrow the gap between input and output, I've added a comment preview functionality to this blog.
https://www.bennadel.com/blog/4178-showing-a-comment-preview-as-you-type-on-this-blog.htm


Blog - Ben Nadel - Mitigating Cross-Site Scripting (XSS) Attacks With A Strict Content Security Policy (CSP) In ColdFusion 2021
As I continue to evolve my blogging platform, bringing it into the modern ColdFusion era, I'm trying to catch up on best practices. Of course, I've always used SQL query parameterization to block SQL injection attacks. And, I use encodeForHtml() and encodeForHtmlAttribute() in as many places as is feasible. And when converting user-provided markdown into HTML, I use the OWASP Anti-Samy project to sanitize the HTML output. But, one thing I've never had is a Content Security Policy (CSP). A CSP is yet another line-of-defense in the war against Cross-Site Scripting (XSS) attacks.
CAUTION: I Am Not A Security Expert
https://www.bennadel.com/blog/4176-mitigating-cross-site-scripting-xss-attacks-with-a-strict-content-security-policy-csp-in-coldfusion-2021.htm


Blog - Ben Nadel - preserveCaseForStructKey Doesn't Work Inside Application.cfc In Adobe ColdFusion 2021
Over the New Year's holiday, I ran into a rather peculiar behavior regarding the preservation of key-casing and the serializeJson() function in Adobe ColdFusion 2021. It appears that the serialization setting for preserveCaseForStructKey doesn't apply to code that resized physically within the Application.cfc life-cycle event handlers. To demonstrate this, we can setup a simple demo in which we serialize data across the event handlers and then dump-out the response:
https://www.bennadel.com/blog/4175-preservecaseforstructkey-doesnt-work-inside-application-cfc-in-adobe-coldfusion-2021.htm


Blog - Ben Nadel - Posting Comments Using Reply Emails And Postmark's Inbound Streams In ColdFusion 2021
I've been a very happy Postmark customer for the last decade. Their SMTP and API services make sending and receiving emails absurdly simple. And, their Inbound webhooks allow you to treat Postmark as a reverse proxy that transforms inbound email delivery into API calls (webhooks) against your own servers. I've been wanting to use this feature on my blog forever; however, I was always afraid that it would lead to massive abuse. That said, in response to a recent spam attack, I was forced to add comment moderation. Which means, I can safely start playing with reply-based comment posting using Postmark's Inbound stream!
https://www.bennadel.com/blog/4174-posting-comments-using-reply-emails-and-postmarks-inbound-streams-in-coldfusion-2021.htm


Blog - Ben Nadel - Centralizing The Error Response Handling For My ColdFusion Blog
If you've noticed that my blog has been quite quiet over the last few weeks, it's because I've dedicated December to modernizing and upgrading my blogging infrastructure. The refactoring has been extensive, to say the least; and, on the list of things that I've wanted to for a long time is centralizing my error response handling in my ColdFusion code. It took me several days to find, factor-out, and normalize my errors; but, I think I have it at a point that I can easily refine and evolve going forward.
https://www.bennadel.com/blog/4173-centralizing-the-error-response-handling-for-my-coldfusion-blog.htm



CFML Jobs

Several positions available on https://www.getcfmljobs.com/
Listing over 256 ColdFusion positions from 111 companies across 131 locations in 5 Countries.

7 new jobs listed

Contract - CFML Developer at Remote - United States
Jan 11
https://www.getcfmljobs.com/viewjob.cfm?jobid=11407

Full-Time - Software Developer - ColdFusion at Overland Park, KS - United States
Jan 11
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Software-Developer-ColdFusion-at-Overland-Park-KS/11406

Full-Time - IT Engineer Applications (Coldfusion developer/admin) : 19-0.. - United States
Jan 11
https://www.getcfmljobs.com/jobs/index.cfm/united-states/IT-Engineer-Applications-Coldfusion-developeradmin-1905340-at-Portland-OR/11405

Full-Time - Senior Coldfusion Developer |LATAM| at Colon, PA - United States
Jan 11
https://www.getcfmljobs.com/jobs/index.cfm/united-states/Senior-Coldfusion-Developer-LATAM-at-Colon-PA/11404

Full-Time - ColdFusion Developer at Virtual, US - United States
Jan 10
https://www.getcfmljobs.com/jobs/index.cfm/united-states/ColdFusionDev-US/11403

Full-Time - Remote Software Developer (Cold Fusion) at Mississauga, ON - Canada
Dec 31
https://www.getcfmljobs.com/jobs/index.cfm/canada/Remote-CFDev-at-ON-CA/11401

Full-Time - Fresh Software Engineer ( For ColdFusion Only) at Ahmedabad,.. - India
Dec 30
https://www.getcfmljobs.com/jobs/index.cfm/india/Fresh-Software-Engineer-For-ColdFusion-Only-at-Ahmedabad-Gujarat/11402



ForgeBox Module of the Week

JSON-Diff

By Scott Steinbeck
An ColdFusion utility for checking if 2 JSON objects have differences

Call JSONDiff.diff to get a detailed list of changes made between the JSON objects.
Call JSONDiff.isSame to get a simple boolean true or false.

https://www.forgebox.io/view/jsondiff



VS Code Hint Tips and Tricks of the Week

Excel Viewer

If you’re working with data, there’s a high chance that you’ll also encounter an excel spreadsheet in some form. Excel Viewer makes it easy to deal with excel data in your VS Code editor by formatting long and comma-separated strings into a tabled format. This can work wonders for your .csv, .tsv, and .tab extensions.
https://marketplace.visualstudio.com/items?itemName=GrapeCity.gc-excelviewer

Funny link: https://twitter.com/dawntraoz/status/1479490317766336518



Thank you to all of our Patreon Supporters

These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox.

You can support us on Patreon here https://www.patreon.com/ortussolutions

Now offering Annual Memberships, pay for the year and save 10% - great for businesses.

You can see an up to date list of all sponsors on Ortus Solutions' Website
https://ortussolutions.com/about-us/sponsors