Merge branch 'development'

Author: lmajano

handlers/Visualizer.cfc

@@ -19,24 +19,24 @@ component extends="coldbox.system.RestHandler" {
 			return "Page Not Found";
 		}
 		// Settings the visualizer will visualize :)
-		prc.settings               = variables.settings;
-        if( prc.settings.firewall.logs.enabled ){
-            prc.logCounts              = dbLogger.count();
-            prc.actionsReport          = dbLogger.getActionsReport();
-            prc.blockTypesReport       = dbLogger.getBlockTypesReport();
-            prc.topOffendingPaths      = dbLogger.getTopOffending( "path" );
-            prc.topOffendingIps        = dbLogger.getTopOffending( "ip" );
-            prc.topOffendingHosts      = dbLogger.getTopOffending( "host" );
-            prc.topOffendingUserAgents = dbLogger.getTopOffending( "userAgent" );
-            prc.topOffendingMethods    = dbLogger.getTopOffending( "httpMethod" );
-            prc.topOffendingUsers      = dbLogger.getTopOffending( "userId" );
-            prc.logs                   = dbLogger.getLatest(
-                top      : 50,
-                action   : rc.action ?: "",
-                blockType: rc.blockType ?: "",
-                userId   : rc.userId ?: ""
-            );
-        }
+		prc.settings = variables.settings;
+		if ( prc.settings.firewall.logs.enabled ) {
+			prc.logCounts              = dbLogger.count();
+			prc.actionsReport          = dbLogger.getActionsReport();
+			prc.blockTypesReport       = dbLogger.getBlockTypesReport();
+			prc.topOffendingPaths      = dbLogger.getTopOffending( "path" );
+			prc.topOffendingIps        = dbLogger.getTopOffending( "ip" );
+			prc.topOffendingHosts      = dbLogger.getTopOffending( "host" );
+			prc.topOffendingUserAgents = dbLogger.getTopOffending( "userAgent" );
+			prc.topOffendingMethods    = dbLogger.getTopOffending( "httpMethod" );
+			prc.topOffendingUsers      = dbLogger.getTopOffending( "userId" );
+			prc.logs                   = dbLogger.getLatest(
+				top      : 50,
+				action   : rc.action ?: "",
+				blockType: rc.blockType ?: "",
+				userId   : rc.userId ?: ""
+			);
+		}
 		// Show the visualizer
 		event.setView( "home/index" );
 	}

interceptors/Security.cfc

@@ -200,11 +200,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Listen to module loadings, so we can do module rule registrations
 	 *
-	 * @event
+	 * @event        
 	 * @interceptData
-	 * @rc
-	 * @prc
-	 * @buffer
+	 * @rc           
+	 * @prc          
+	 * @buffer       
 	 */
 	function postModuleLoad( event, interceptData, rc, prc, buffer ){
 		// Is this a cbSecurity Module & not registered
@@ -223,11 +223,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Listen to module unloadings, so we can do module rule cleanups
 	 *
-	 * @event
+	 * @event        
 	 * @interceptData
-	 * @rc
-	 * @prc
-	 * @buffer
+	 * @rc           
+	 * @prc          
+	 * @buffer       
 	 */
 	function postModuleUnload( event, interceptData, rc, prc, buffer ){
 		// Is the module registered?
@@ -246,11 +246,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Our firewall kicks in at preProcess
 	 *
-	 * @event
+	 * @event        
 	 * @interceptData
-	 * @rc
-	 * @prc
-	 * @buffer
+	 * @rc           
+	 * @prc          
+	 * @buffer       
 	 */
 	function preProcess( event, interceptData, rc, prc, buffer ){
 		// Add SecureView() into the requestcontext
@@ -290,9 +290,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Process handler annotation based security rules.
 	 *
-	 * @event
+	 * @event        
 	 * @interceptData
-	 * @currentEvent
+	 * @currentEvent 
 	 */
 	function processAnnotationRules(
 		required event,
@@ -792,7 +792,10 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 			if ( log.canWarn() ) {
 				log.warn(
 					"Potential open redirect attempt detected. Invalid secured URL: #securedURL#. Using home page instead.",
-					{ "ip" : variables.cbSecurity.getRealIp(), "url" : securedURL }
+					{
+						"ip"  : variables.cbSecurity.getRealIp(),
+						"url" : securedURL
+					}
 				);
 			}
 			// Use the application's base URL instead
@@ -808,8 +811,8 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	 * Validates that a redirect URL is safe by ensuring it belongs to the same host
 	 * as the current request. This prevents open redirect vulnerabilities.
 	 *
-	 * @targetUrl   The URL to validate
-	 * @event The request context
+	 * @targetUrl The URL to validate
+	 * @event     The request context
 	 *
 	 * @return True if the URL is safe to redirect to, false otherwise
 	 */
@@ -830,10 +833,7 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 			return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;
 		} catch ( any e ) {
 			// If URL parsing fails, consider it unsafe
-            log.warn(
-                "Error parsing URL for redirect validation: #arguments.targetUrl# : #e.message#",
-                e.detail
-            );
+			log.warn( "Error parsing URL for redirect validation: #arguments.targetUrl# : #e.message#", e.detail );
 			return false;
 		}
 	}

test-harness/tests/specs/integration/SecuritySpec.cfc

@@ -195,7 +195,6 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 					} );
 				} );
 			} );
-
 		} );
 	}
 

test-harness/tests/specs/unit/SecurityTest.cfc

@@ -277,7 +277,6 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 			} );
 
 			describe( "URL validation for open redirect prevention", () => {
-
 				beforeEach( ( currentSpec ) => {
 					mockValidator = mockWireBox.getInstance( settings.firewall.validator );
 					security
@@ -291,39 +290,55 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 					mockEvent = createMock( "coldbox.system.web.context.RequestContext" )
 						.$( "getCurrentRoutedURL", "/account" )
 						.$( "buildLink" )
-						.$args( to = "/account", queryString = "", translate = false )
+						.$args(
+							to          = "/account",
+							queryString = "",
+							translate   = false
+						)
 						.$results( "/account" )
 						.$( "setValue" );
 
 					mockFlash = createStub().$( "put" );
 					security.$property( "flash", "variables", mockFlash );
 
-                    makePublic( security, "isSafeRedirectUrl" );
-                    makePublic( security, "saveSecuredUrl" );
+					makePublic( security, "isSafeRedirectUrl" );
+					makePublic( security, "saveSecuredUrl" );
 				} );
 
 				it( "allows relative URLs without a host", () => {
-                    var result = security.isSafeRedirectUrl( targetUrl = "/account", event = mockEvent );
+					var result = security.isSafeRedirectUrl( targetUrl = "/account", event = mockEvent );
 					expect( result ).toBeTrue();
 				} );
 
 				it( "allows URLs with the same host", () => {
-					var result = security.isSafeRedirectUrl( targetUrl = "https://mysite.com/account", event = mockEvent );
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "https://mysite.com/account",
+						event     = mockEvent
+					);
 					expect( result ).toBeTrue();
 				} );
 
 				it( "blocks URLs with different hosts", () => {
-					var result = security.isSafeRedirectUrl( targetUrl = "https://malicioussite.com/phishing", event = mockEvent );
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "https://malicioussite.com/phishing",
+						event     = mockEvent
+					);
 					expect( result ).toBeFalse();
 				} );
 
 				it( "blocks URLs with subdomain differences", () => {
-					var result = security.isSafeRedirectUrl( targetUrl = "https://evil.mysite.com/account", event = mockEvent );
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "https://evil.mysite.com/account",
+						event     = mockEvent
+					);
 					expect( result ).toBeFalse();
 				} );
 
 				it( "is case-insensitive when comparing hosts", () => {
-					var result = security.isSafeRedirectUrl( targetUrl = "https://MySite.COM/account", event = mockEvent );
+					var result = security.isSafeRedirectUrl(
+						targetUrl = "https://MySite.COM/account",
+						event     = mockEvent
+					);
 					expect( result ).toBeTrue();
 				} );
 
@@ -333,10 +348,14 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 				} );
 
 				it( "saves secured URL when it is safe", () => {
-                    mockEvent.$( "getCurrentRoutedURL", "/account" );
+					mockEvent.$( "getCurrentRoutedURL", "/account" );
 					mockEvent
-                        .$( "buildLink" )
-						.$args( to = "/account", queryString = cgi.QUERY_STRING, translate = false )
+						.$( "buildLink" )
+						.$args(
+							to          = "/account",
+							queryString = cgi.QUERY_STRING,
+							translate   = false
+						)
 						.$results( "/account" );
 
 					security.saveSecuredUrl( mockEvent );