Merge branch 'development'

Author: lmajano

CONTRIBUTING.md

@@ -47,8 +47,11 @@ If you discover a security vulnerability, please send an email to the developmen
 
 Please make sure your code runs on the following CFML Engines:
 
+## Prerequisites
+
+- BoxLang 1+ (Preferred)
 - Lucee 5+
-- Adobe ColdFusion 2018+
+- Adobe 2023+
 
 ## Coding Styles & Formatting
 

box.json

@@ -1,6 +1,6 @@
 {
     "name":"ColdBox Security",
-    "version":"3.5.0",
+    "version":"3.6.0",
     "location":"https://downloads.ortussolutions.com/ortussolutions/coldbox-modules/cbsecurity/@build.version@/[email protected]@.zip",
     "author":"Ortus Solutions.com <[email protected]>",
     "slug":"cbsecurity",
@@ -28,7 +28,7 @@
         "cbcsrf":"^3.0.0"
     },
     "devDependencies":{
-		"commandbox-boxlang":"*",
+        "commandbox-boxlang":"*",
         "commandbox-cfformat":"*",
         "commandbox-docbox":"*"
     },
@@ -48,10 +48,13 @@
         "format:watch":"cfformat watch handlers/,interceptors/,models/,test-harness/tests/specs,ModuleConfig.cfc ./.cfformat.json",
         "format:check":"cfformat check handlers/,interceptors/,models/,test-harness/tests/specs,ModuleConfig.cfc",
         "install:dependencies":"install --force && cd test-harness && install --force",
+        "start:boxlang":"server start [email protected]",
         "start:lucee":"server start [email protected]",
         "start:2023":"server start [email protected]",
+        "stop:boxlang":"server stop [email protected]",
         "stop:lucee":"server stop [email protected]",
         "stop:2023":"server stop [email protected]",
+        "logs:boxlang":"server log [email protected] --follow",
         "logs:lucee":"server log [email protected] --follow",
         "logs:2023":"server log [email protected] --follow"
     },

changelog.md

@@ -9,6 +9,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- **CRITICAL**: Fixed open redirect vulnerability in `_securedURL` handling. The `saveSecuredUrl()` method now validates redirect URLs to ensure they belong to the same host as the current request, preventing attackers from crafting malicious URLs that redirect users to external sites after login. Added `isSafeRedirectUrl()` validation using `java.net.URI` to compare hosts.
+
+### Fixed
+
+- BOX-164 Allow Visualizer to show settings when firewall.logging not enabled
+-  JWT Handler improperly returns a value causing it to skip ColdBox's RestHandler's response formatting logic.   This results in the entire response object being returned rather than just invoking getDataPacket()
+
 ## [3.5.0] - 2025-10-17
 
 ### Added

handlers/Jwt.cfc

@@ -14,13 +14,14 @@ component extends="coldbox.system.RestHandler" {
 	function refreshToken( event, rc, prc ){
 		// If endpoint not enabled, just 404 it
 		if ( !variables.jwtService.getSettings().jwt.enableRefreshEndpoint ) {
-			return event
+			event
 				.getResponse()
 				.setErrorMessage(
 					"Refresh Token Endpoint Disabled",
 					404,
 					"Disabled"
 				);
+			return;
 		}
 
 		try {
@@ -32,27 +33,31 @@ component extends="coldbox.system.RestHandler" {
 				.setData( prc.newTokens )
 				.addMessage( "Tokens refreshed! The passed in refresh token has been invalidated" );
 		} catch ( RefreshTokensNotActive e ) {
-			return event.getResponse().setErrorMessage( "Refresh Tokens Not Active", 404, "Disabled" );
+			event.getResponse().setErrorMessage( "Refresh Tokens Not Active", 404, "Disabled" );
 		} catch ( TokenNotFoundException e ) {
-			return event
+			event
 				.getResponse()
 				.setErrorMessage(
 					"The refresh token was not passed via the header or the rc. Cannot refresh the unrefreshable!",
 					400,
 					"Missing refresh token"
 				);
 		} catch ( TokenInvalidException e ) {
-			prc.response.setErrorMessage(
-				"Invalid Token - #e.message#",
-				401,
-				"Invalid Token"
-			);
+			event
+				.getResponse()
+				.setErrorMessage(
+					"Invalid Token - #e.message#",
+					401,
+					"Invalid Token"
+				);
 		} catch ( TokenExpiredException e ) {
-			prc.response.setErrorMessage(
-				"Token Expired - #e.message#",
-				400,
-				"Token Expired"
-			);
+			event
+				.getResponse()
+				.setErrorMessage(
+					"Token Expired - #e.message#",
+					400,
+					"Token Expired"
+				);
 		}
 	}
 

handlers/Visualizer.cfc

@@ -20,21 +20,23 @@ component extends="coldbox.system.RestHandler" {
 		}
 		// Settings the visualizer will visualize :)
 		prc.settings               = variables.settings;
-		prc.logCounts              = dbLogger.count();
-		prc.actionsReport          = dbLogger.getActionsReport();
-		prc.blockTypesReport       = dbLogger.getBlockTypesReport();
-		prc.topOffendingPaths      = dbLogger.getTopOffending( "path" );
-		prc.topOffendingIps        = dbLogger.getTopOffending( "ip" );
-		prc.topOffendingHosts      = dbLogger.getTopOffending( "host" );
-		prc.topOffendingUserAgents = dbLogger.getTopOffending( "userAgent" );
-		prc.topOffendingMethods    = dbLogger.getTopOffending( "httpMethod" );
-		prc.topOffendingUsers      = dbLogger.getTopOffending( "userId" );
-		prc.logs                   = dbLogger.getLatest(
-			top      : 50,
-			action   : rc.action ?: "",
-			blockType: rc.blockType ?: "",
-			userId   : rc.userId ?: ""
-		);
+        if( prc.settings.firewall.logs.enabled ){
+            prc.logCounts              = dbLogger.count();
+            prc.actionsReport          = dbLogger.getActionsReport();
+            prc.blockTypesReport       = dbLogger.getBlockTypesReport();
+            prc.topOffendingPaths      = dbLogger.getTopOffending( "path" );
+            prc.topOffendingIps        = dbLogger.getTopOffending( "ip" );
+            prc.topOffendingHosts      = dbLogger.getTopOffending( "host" );
+            prc.topOffendingUserAgents = dbLogger.getTopOffending( "userAgent" );
+            prc.topOffendingMethods    = dbLogger.getTopOffending( "httpMethod" );
+            prc.topOffendingUsers      = dbLogger.getTopOffending( "userId" );
+            prc.logs                   = dbLogger.getLatest(
+                top      : 50,
+                action   : rc.action ?: "",
+                blockType: rc.blockType ?: "",
+                userId   : rc.userId ?: ""
+            );
+        }
 		// Show the visualizer
 		event.setView( "home/index" );
 	}

interceptors/Security.cfc

@@ -200,11 +200,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Listen to module loadings, so we can do module rule registrations
 	 *
-	 * @event        
+	 * @event
 	 * @interceptData
-	 * @rc           
-	 * @prc          
-	 * @buffer       
+	 * @rc
+	 * @prc
+	 * @buffer
 	 */
 	function postModuleLoad( event, interceptData, rc, prc, buffer ){
 		// Is this a cbSecurity Module & not registered
@@ -223,11 +223,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Listen to module unloadings, so we can do module rule cleanups
 	 *
-	 * @event        
+	 * @event
 	 * @interceptData
-	 * @rc           
-	 * @prc          
-	 * @buffer       
+	 * @rc
+	 * @prc
+	 * @buffer
 	 */
 	function postModuleUnload( event, interceptData, rc, prc, buffer ){
 		// Is the module registered?
@@ -246,11 +246,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Our firewall kicks in at preProcess
 	 *
-	 * @event        
+	 * @event
 	 * @interceptData
-	 * @rc           
-	 * @prc          
-	 * @buffer       
+	 * @rc
+	 * @prc
+	 * @buffer
 	 */
 	function preProcess( event, interceptData, rc, prc, buffer ){
 		// Add SecureView() into the requestcontext
@@ -290,9 +290,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	/**
 	 * Process handler annotation based security rules.
 	 *
-	 * @event        
+	 * @event
 	 * @interceptData
-	 * @currentEvent 
+	 * @currentEvent
 	 */
 	function processAnnotationRules(
 		required event,
@@ -773,6 +773,8 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 
 	/**
 	 * Flash the incoming secured Url so we can redirect to it or use it in the next request.
+	 * This method validates the URL to prevent open redirect vulnerabilities by ensuring
+	 * the URL belongs to the same host as the current request.
 	 *
 	 * @event The event object
 	 */
@@ -784,11 +786,58 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 			translate  : false
 		);
 
+		// Validate the URL to prevent open redirect attacks
+		if ( !isSafeRedirectUrl( securedURL, arguments.event ) ) {
+			// If the URL is not safe, log a warning and use the home page instead
+			if ( log.canWarn() ) {
+				log.warn(
+					"Potential open redirect attempt detected. Invalid secured URL: #securedURL#. Using home page instead.",
+					{ "ip" : variables.cbSecurity.getRealIp(), "url" : securedURL }
+				);
+			}
+			// Use the application's base URL instead
+			securedURL = arguments.event.buildLink( to = "", translate = false );
+		}
+
 		// Flash it and place it in RC as well
 		flash.put( "_securedUrl", securedURL );
 		arguments.event.setValue( "_securedUrl", securedURL );
 	}
 
+	/**
+	 * Validates that a redirect URL is safe by ensuring it belongs to the same host
+	 * as the current request. This prevents open redirect vulnerabilities.
+	 *
+	 * @targetUrl   The URL to validate
+	 * @event The request context
+	 *
+	 * @return True if the URL is safe to redirect to, false otherwise
+	 */
+	private boolean function isSafeRedirectUrl( required string targetUrl, required event ){
+		try {
+			// Parse the URL to validate
+			var urlToValidate = createObject( "java", "java.net.URI" ).init( arguments.targetUrl );
+
+			// If the URL is relative (no host), it's safe
+			if ( isNull( urlToValidate.getHost() ) || !len( urlToValidate.getHost() ) ) {
+				return true;
+			}
+
+			// Get the current request's host for comparison
+			var currentHost = variables.cbSecurity.getRealHost();
+
+			// Compare hosts (case-insensitive)
+			return compareNoCase( urlToValidate.getHost(), currentHost ) == 0;
+		} catch ( any e ) {
+			// If URL parsing fails, consider it unsafe
+            log.warn(
+                "Error parsing URL for redirect validation: #arguments.targetUrl# : #e.message#",
+                e.detail
+            );
+			return false;
+		}
+	}
+
 	/**
 	 * Verifies that the current event is in a given pattern list
 	 *

readme.md

@@ -36,8 +36,9 @@ Apache License, Version 2.0.
 
 ## Requirements
 
+- BoxLang 1+ (Preferred)
 - Lucee 5+
-- ColdFusion 2018+
+- Adobe 2023+
 - ColdBox 6+
 - ColdBox 7+ for delegates and basic auth support only
 
@@ -339,6 +340,8 @@ Once the firewall has the results, and the user is **NOT** allowed access. Then
 - The request will be logged via LogBox
 - If the firewall database logs are enabled, then we will log it in our database logs
 - The current URL will be flashed as `_securedURL` so it can be used in relocations
+  - **Security Note**: The URL is validated to ensure it belongs to the same host as the current request to prevent open redirect attacks
+  - Only same-host URLs or relative URLs are allowed; external URLs will be replaced with the application home page
 - If using a rule, the rule will be stored in `prc` as `cbsecurity_matchedRule`
 - The validator results will be stored in `prc` as `cbsecurity_validatorResults`
 - If the type of invalidation is `authentication` the `cbSecurity_onInvalidAuthentication` interception will be announced

[email protected]

@@ -5,6 +5,7 @@
         "cfengine":"boxlang@1"
     },
     "web":{
+        "host":"0.0.0.0",
         "http":{
             "port":"60299"
         },
@@ -21,7 +22,7 @@
         "javaVersion":"openjdk21_jre",
         "args":"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8888"
     },
-    "openBrowser": false,
+    "openBrowser":false,
     "cfconfig":{
         "file":".cfconfig.json"
     },

test-harness/config/Coldbox.cfc

@@ -96,7 +96,7 @@
 					// Firewall Validator
 					//"validator"                   : "BasicAuthValidator@cbsecurity",
 					"logs" : {
-						enabled : true
+						enabled : false
 					},
 					// The global security rules
 					"rules"                      : [

test-harness/tests/specs/integration/JWTSpec.cfc

@@ -145,6 +145,15 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 								404,
 								event.getResponse().getMessagesString()
 							);
+
+							// Matches the ColdBox RestHandler default response format spec
+							var jsonResponse = deserializeJSON( event.getRenderedContent() );
+							expect( jsonResponse ).toHaveLength( 4 );
+							expect( jsonResponse ).toHaveKey( "data" );
+							expect( jsonResponse ).toHaveKey( "error" );
+							expect( jsonResponse ).toHaveKey( "pagination" );
+							expect( jsonResponse ).toHaveKey( "messages" );
+							expect( jsonResponse.messages[ 1 ] ).toBe( event.getResponse().getMessagesString() );
 						} );
 					} );
 					given( "An activated endpoint but no refresh tokens passed", function(){