FarCry 7.2.12 in a shared hosting environment (sandbox security)

In order to mitigate the issues I ran into while trying to find a solution for an alleged memory issue in the FarCry core, I enabled the sandbox security feature in the ColdFusion 2018 administrator, disabled the CFExecute() and CFRegistry() tags, restricted the access to the application web root and its subdirectories, and left the default entries for the CF Functions – disabling CreateObject(java) – as well as the createClassLoader runtime permission.
Alas, this did not turn out to be a good idea.

I immediately witnessed the FarCry 7.2.12 core crash on run-up. As I was able to figure out so far, the issues are threefold:

  1. The FarCry core uses the CF GetTempDirectory() function to handle CDN, 3S, file and image uploads. Unfortunately, the GetTempDirectory() returns a path outside the application’s realm, somewhere in the CF 2018 application file-tree.
    So far I was able to resolve this issue for the front-end by adding an application variable bUseSandbox, adding a /temporary directory in the web root, and making adjustments in the CDN section, the file and image CFC, and a few others. This seems to work.
    [Edit: The backend, however, still crashes during an image upload when trying to resize it in local.cfc:ioFileWrite() (around line 163) in the CF imageWrite() function with java.io error that a file or directory cannot be accessed.]
    If anybody is interested, I’ll be happy to share what I figured out so far. (I don’t use the CDN and S3 functions myself but some testing will show where I erred.)

  2. When FarCry starts up the first time after the server being (re)started with or without the ?updateapp=<your_secret_key> URl extenson, it throws an exception in /core/application.cfc when trying to load the plugins in line 184:
    <cfloop list="#(this.plugins ?: "")#" index="plugin">
    The exception reads as follows:
    java.security.AccessControlException: access denied ("java.io.FilePermission" "/Applications/ColdFusion2018/cfusion/wwwroot/WEB-INF/cfclasses/cfApplication2ecfc42533848$func_CF_ANONYMOUSCLOSURE_ELVIS0.class" "read")
    If you change anything in the /core/application.cfc file (for example, by adding a <cfdump> tag) and hitting the browser load button again, FarCry starts up just fine.
    It seems that if you move the plugins preset <cfparam name="this.plugins" default="" /> (it should have been set to include farcrycms in the farcryConstructor.cfm file which will be processed before), prior to calling the setupJARPaths() function, remove the ternary operator from the <cfloop> tag, and remove the preset from the initApplicationScope function, everything seems to be fine.
    [Edit: The same seems to hold true for the ternary operator when calling the addJARPath() function. Here too, I found it necessary to properly preset this.projectDirectoryName before the function all.]
    (Again: I’m happy to share the code.)

  3. To me, it seems that if a hosting provider denies runtime permission for the createClassLoader and/or the use of CreateObject(java), you are screwed. (Or do you know about a shared hosting company which allows to use those CF features?

I am curious if anybody has been playing with the sandbox security and what your experience is. As always, any pointers in the right direction will be greatly appreciated.

Re your question about hosts that allow those tags. Maybe try Hostek. According to the features list they don’t allow CreateObject on the Personal plan but do on the plans above that. BTW you can sign up for a month for free to try them.

ColdFusion Hosting - ColdFusion VPS Hosting - ColdFusion Host Plans | HOSTEK

I haven’t used the CF2018 Sandbox but I’ll answer your questions as best I can;

1 . Yes, GetTempDirectory() is required and the sandbox should be providing access to somewhere on the file system to write temporary files to so that temporary file operations can work. We would not want to write temporary files inside the webroot, such as /temporary because this is a security risk; temporary files should be written somewhere that is not web accessible.

2 . This almost looks like another file system permission issue;

java.security.AccessControlException: access denied ("java.io.FilePermission" "/Applications/ColdFusion2018/cfusion/wwwroot/WEB-INF/cfclasses/cfApplication2ecfc42533848$func_CF_ANONYMOUSCLOSURE_ELVIS0.class" "read")

I’m not sure that declaring this.plugins in a different place would truly be the fix for that exception if it’s a more general problem; The class name is directly related to the Elvis operator, but the compiled class file being unreadable is the underlying issue and so it might also surface in other places that use the Elvis operator as well?

If you have a diff or a copy of the file that you’ve changed then I’m happy to look at it to see if there’s something we can/need to fix.

3 . Yes, FarCry Core requires access to Java classes so hosting providers need to support these functions. If that was a problem I would suggest looking for a better host and/or consider hosting on Lucee rather than Adobe ColdFusion. As Mark says Hostek is probably one of the better choices, but that’s as far as my knowledge extends on shared hosts as I typically host everything myself on DigitalOcean / Vultr / AWS / Azure / others.

Hope that helps :slight_smile:

@ Mark: Thank you for the pointer. I’ll give hostek.com a thorough look later this week. At the first glance, it looks promising, though.

@ Justin: Well, then this means going back to the drawing board…
Is there a possibility to upload the /farcry/core/Application.cfc file?