CommandBox : CLI, Package Manager, REPL & More
Search…
5.6.0
Introduction
About This Book
Authors
Overview
Release History
Getting Started Guide
Setup
Usage
IDE Integrations
Config Settings
Embedded Server
Multi-Engine Support
ModCFML Support
Server Versions
Start HTML Server
Offline Server Starts
Debugging Server Starts
Server Processes
Manage Servers
FusionReactor
Server Logs
Server Scripts
Configuring Your Server
Security
Server Profiles
Server Rules
Baked in Rules
Allowed Static Files
Rule Language
Custom Predicates/Handlers
Rule Examples
Debugging Server Rules
Server Port and Host
Proxy IP
SSL Server Certs
HTTPS Redirect/HSTS
URL Rewrites
Aliases
Custom Error Pages
Welcome Files
Custom Java Version
Adding Custom Libs
GZip Compression
REST Servlet
Performance Tuning
Undertow Options
Custom Tray Menus
JVM Args
Ad-hoc Env Vars
Ad-Hoc Java System Properties
server.json Env Var overrides
Server Home
web.xml Overrides
Experimental Features
External Web Server
Starting as a Service
Single Server Mode
Server.json
Package Management
Task Runners
Helpful Commands
Deploying CommandBox
TestBox Integration
Developing For CommandBox
ForgeBox Enterprise
Introduction
Storage
Commands
Usage
Powered By GitBook
Baked in Rules

CommandBox has a few baked in rules that you can apply ad-hoc or as part of a server profile.
  • web.blockCFAdmin - Returns 404 error page for any Adobe CF or Lucee Server admin administrator paths
  • web.blockSensitivePaths - Returns 404 error page for common config files such as box.json or .env
  • web.blockFlashRemoting - Blocks all paths related to Flash and Flex remoting calls
If you want to customize the rules above, simply turn them off and include the rules directly in your server.json where you can modify them as you see fit.

This setting has three possible settings:
  • true - Block ALL access to ColdFusion and Lucee admins
  • false - Do not block anything
  • external - Only block access not coming from localhost.
The exact rule activated when you set this property to true is:
block-cf-admin()
The exact rule activated when you set this property to external is:
cf-admin() -> block-external()

This setting only allows true/false. This is a bit of a catch-all rule for any sort of paths that a user should never be able to make on production that could reveal information or access secret parts of your CF installation. When set to true, the following rules are activated:
// track and trace verbs can leak data in XSS attacks
disallowed-methods( methods={trace,track} )
​
// Common config files and sensitive paths that should never be accessed, even on development
regex( pattern='.*/(box.json|server.json|web.config|urlrewrite.xml|package.json|package-lock.json|Gulpfile.js)', case-sensitive=false ) -> set-error(404)
​
// Any file or folder starting with a period
regex('/\.')-> set-error( 404 )
​
// Additional serlvlet mappings in Adobe CF's web.xml
path-prefix( { '/JSDebugServlet','/securityanalyzer','/WSRPProducer' } ) -> set-error( 404 )
​
// java web service (Axis) files
regex( pattern='\.jws#x27;, case-sensitive=false ) -> set-error( 404 )
When the profile is set to production, the following rule is also added which blocks the ColdFusion RDS access from CF Builder and access to TestBox runners:
regex( pattern='.*/(CFIDE/multiservermonitor-access-policy.xml|CFIDE/probe.cfm|CFIDE/main/ide.cfm|tests/runner.cfm|testbox/system/runners/HTMLRunner.cfm)', case-sensitive=false ) -> set-error(404)
If you need to legitimately access any of these paths, you'll need to turn off this setting and custom-add the rules that you want to keep. This setting is a convenience that adds several rules at once.

This setting only allows true/false. When set to true, the following rules are activated:
// These all map to web.xml servlet mappings for ACF
path-prefix( { '/flex2gateway','/flex-internal','/flashservices/gateway','/cfform-internal','/CFFormGateway' } ) -> set-error( 404 )
​
// Files used for flash remoting
regex( pattern='\.(mxml|cfswf)#x27;, case-sensitive=false ) -> set-error( 404 )
If you need to legitimately access any of these paths, you'll need to turn off this setting and custom-add the rules that you want to keep. This setting is a convenience that adds several rules at once.

What if you want to go one step deeper? For instance, the blockSensitivePaths setting blocks a whole bunch of stuff all in one shot. An example might be wanting to open up JUST the RDS IDE integration for your developers, which funnels through the /CFIDE/main/ide.cfm path which you can see is blocked above.
The solution to this is quite simple and is all based on the ORDER in which your rules are processed. Built-in CommandBox rules are the last to process. This means that if you hijack the predicates with a custom rule FIRST, you can override the behavior of the built in rules. So, if we want to allow access to the /CFIDE/main/ide.cfm path, we just need to add a custom rule that matches that path and then aborts the predicate chain so no further rules fire.
server set web.rules="['path(/CFIDE/main/ide.cfm)->done']" --append
Which gives you the following server.json
{
"web":{
"rules":[
"path(/CFIDE/main/ide.cfm)->done"
]
}
}
The done handler is what bypasses all subsequent rules for the request.
Since your custom rules are processed BEFORE the built-in rules, that also means that you have the ability to accidentally bypass security rules by applying another rule that intercepts the request! By default a custom rule won't block subsequent rules from firing unless you rewrite the request or use the special done handler.
​
Previous
Server Rules
Next
Allowed Static Files
Last modified 30d ago
Copy link
Edit on GitHub
On this page
Baked-in Rules
Block CF Admin
Block Sensitive Paths
Block Flash Remoting
Override just part of a baked-in rule