Monday, March 4, 2013

CFESAPI is now ESAPI4CF and now includes docs!

Yes, the ESAPI for ColdFusion/CFML project is still alive!  I haven't posted about it in awhile for 2 reasons.  One, I have not had much time to put towards it but I am trying harder now.  And two, I was always horrible at blogging so finding the time to write something up was not a priority. Anyway, I made some time for both and I have a few things to go over.

I decided to rename CFESAPI to ESAPI4CF.  I thought this just made more sense.  The official OWASP project is defined as "ESAPI for ColdFusion/CFML" and well, enough said.  The GitHub repository was renamed and I created a bogus project under the old "cfesapi" repo with links to get to the updated repository.

I am aware that ColdFusion Server now includes the esapi.jar since the 8.0.1 patch and the 9.0.1 patch (and is now part of 9.0.2) along with version 10.  Railo 4 also includes the jar.  So since the jar is now so popular with the CFML engines, I no longer include it with the library.  In fact, the library requirements have changed so that you must be on a CFML version which includes the esapi.jar.  Again, makes more sense and that seems to be my thing in this post.

So back to the GitHub repo, I have been committing against the development branch once and awhile and I decided to move development to master.  I think this code is pretty stable and it also includes documentation...first time for everything!  You will notice that I did a bit of reorganization.  I moved the main source into a subfolder so that I could add additional folders for apirefs, swingset, and libs.  I also moved the unit tests out of the main source folder and into its own.  This will allow you to better know which folders to deploy to production and which to not (hint: only the main source should go to production).  The lib folder has your additional jar dependencies needed to run ESAPI4CF.  These still need to go into your /WEB-INF/lib/ folder as always.

So as for what has changed, well the addition of documentation is big!  This is probably what I get asked about the most. The apiref has your JavaDoc-like references to the core library.  I have been working to port the ESAPI SwingSet into ESAPI4CF.  This is not done yet but I was excited to get something new out and felt it time to make it happen.  The SwingSet has a lot of explanation, sample usage, and labs.  It is not all working yet as this is a work in progress but I do hope that it helps out a lot.

The last thing I should note and this is very important so pay attention.  The previous master code attempted to support ESAPI 2.0-something or other.  This became increasingly difficult with the expectation to support back to ColdFusion 8.  I know, CF8 is not supported by Adobe anymore but I made that decision awhile back when it still was.  Since I was the majority of the way complete with this work when support was dropped, I didn't want to scrap what I had so I decided to just finish it.  Anyway, I decided that since CF8 was my oldest version to support, that ESAPI4CF would support the same esapi.jar version added to CF8 with the patch, ESAPI-1.4.4.  Some code tweaks had to be made in order to run on CF9's ESAPI-2.0_rc10 version but they were minor. Regardless, back when I made this decision I was going to release an ESAPI4CF-1.4.4 for CF8+, ESAPI4CF-2.0_rc10 for CF9+, and ESAPI4CF-2.0.1 for CF10+.  But since this took so long and Adobe has mentioned CF11 coming only a year after CF10 (we'll see), I decided that next I will tackle whatever the latest version currently is in an attempt to play catch up.  So I will for sure be skipping the ESAPI4CF-2.0_rc10 for CF9+ and jumping to whatever the latest is when I decide to start on that.  Not guaranteeing I will ready to begin while CF10 is still the latest.  Obviously, I still want 1.4.4 completed so that something is out there and I will continue to work on that version to get it feature complete and address bugs.

So anyway, that's my brain dump this time around.  I still have hope that I can get some contributors to ESAPI4CF.  Maybe now that there is documentation others may be more willing to help out.  Just let me know.

UPDATE: Someone pointed out the lack of a link to the GitHub project so here it is: http://damonmiller.github.com/esapi4cf/.  Thanks Tony!