Security - Sandbox Security

Overview

Sandbox Security (Enterprise Edition only) allows you to create security profiles that restrict what ColdFusion code can do based on its location. You can limit file system access, tag usage, function calls, data source access, and more for specific directories. This is essential for shared hosting environments or multi-tenant applications where you need to prevent one application from accessing another's resources.

Note: Sandbox Security is only available in ColdFusion Enterprise Edition.

Understanding Sandboxes

What is a Sandbox?

• A directory-based security policy that restricts CFML code execution
• Applied to specific directories and their subdirectories
• Controls access to files, datasources, tags, functions, and more
• Critical for multi-tenant environments and shared hosting

When to Use Sandboxes

• Shared Hosting: Multiple customers on same server
• Multi-Tenant Applications: Separate client data and access
• Development Servers: Limit access for untrusted code
• Third-Party Code: Restrict capabilities of external modules
• Compliance: Meet regulatory requirements for data isolation

Sandbox Priority

• More specific (deeper) paths take precedence over general paths
• Example: /var/www/app1 overrides /var/www for files in /var/www/app1
• Use specific sandboxes for exceptions to broader policies

Creating a Sandbox

Step 1: Define Sandbox Directory

• Directory Path: Full path to directory to sandbox
• Example: /var/www/client1, C:\inetpub\wwwroot\app1
• Scope: Applies to directory and all subdirectories
• Multiple Sandboxes: Create separate sandboxes for different applications

Step 2: Configure File Access

• Specify which directories can be accessed for read/write/execute
• Default: No file access outside sandbox directory
• Add paths as needed for legitimate access

Step 3: Configure Additional Restrictions

• Data sources, tags, functions, server/file operations
• IP addresses, ports for network access
• Java integration and external object access

File and Directory Permissions

Read Permission

• Purpose: Allow code to read files and list directories
• Tags Affected: cffile action="read", cfinclude, cfmodule
• Functions Affected: fileRead(), directoryList(), fileExists()
• Default: Only sandbox directory has read access
• Common Additions: Shared libraries, image directories, template paths

Write Permission

• Purpose: Allow code to create, modify, and delete files
• Tags Affected: cffile action="write|append|delete|rename|move"
• Functions Affected: fileWrite(), fileDelete(), directoryCreate()
• Default: No write access outside sandbox
• Common Additions: Upload directories, log directories, cache directories
• Security: Limit write access to only necessary directories

Execute Permission

• Purpose: Allow execution of CFML templates and components
• Applies To: cfinclude, cfmodule, createObject("component")
• Default: Only sandbox directory
• Common Additions: Shared component libraries, framework directories

Delete Permission

• Purpose: Allow deletion of files and directories
• Separate from Write: Can allow write but deny delete
• Use Case: Prevent accidental or malicious data loss

Data Source Restrictions

Restrict Data Source Access

• Purpose: Control which data sources sandbox can access
• Default: Access all configured data sources
• Restricted: Specify allowed data sources by name
• Use Case: Prevent Application A from accessing Application B's database
• Multi-Tenant: Essential for shared database servers

Configuration Steps

• Enable data source restrictions for sandbox
• Add only necessary data sources to allowed list
• Test application thoroughly to ensure all needed datasources accessible
• Monitor for "Access Denied" errors indicating missing permissions

Tag and Function Restrictions

Disable Tags

• Purpose: Prevent use of specific CFML tags
• Common Restrictions:
• cfexecute - Execute system commands
• cfregistry - Access Windows registry
• cfobject type="com" - COM object access
• cfdocument - PDF generation (resource intensive)
• cfhttp - External HTTP requests
• cfldap - LDAP queries
• cfmail - Email sending (use with caution)
• Security: Disable tags that provide system-level access
• Testing: Verify application functionality after restrictions

Disable Functions

• Purpose: Prevent use of specific CFML functions
• Common Restrictions:
• createObject("java") - Java object instantiation
• getPageContext() - Access to underlying servlet context
• fileSystemUtil() - Low-level file operations
• sendGatewayMessage() - Event gateway access
• Granular Control: Disable only risky functions, not entire categories

Server and File Operations

Disable Server/File Function

• GetTempDirectory(): Prevent access to system temp directory
• GetTempFile(): Prevent temp file creation in system directories
• GetProfileString(): Read Windows INI files
• SetProfileString(): Write Windows INI files
• Recommendation: Disable these in untrusted environments

CF Admin Access

• Purpose: Prevent code from accessing administrator API
• Risk: Code could modify server configuration
• Recommendation: Disable unless specifically needed

Network Access Restrictions

IP Address Restrictions

• Purpose: Control which IP addresses code can connect to
• Use Case: Limit external HTTP requests via cfhttp
• Whitelist Approach: Specify allowed IPs or ranges
• Example: Allow internal network (192.168.0.0/16) but block Internet
• Security: Prevent data exfiltration or SSRF attacks

Port Restrictions

• Purpose: Control which ports code can connect to
• Common Allowed: 80 (HTTP), 443 (HTTPS)
• Common Blocked: 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP)
• Use Case: Prevent non-HTTP network operations

Best Practices

Production Environment

• Enable sandboxes for all multi-tenant or untrusted applications
• Use principle of least privilege - only grant necessary permissions
• Create separate sandboxes for each tenant/application
• Disable dangerous tags (cfexecute, cfregistry) by default
• Restrict data source access to only required databases
• Limit file access to application directory plus specific shared resources
• Test thoroughly in development before applying to production
• Document all sandbox configurations and justifications
• Review and audit sandbox settings quarterly

Development Environment

• Mirror production sandbox configuration
• Test applications against sandbox restrictions
• Identify required permissions before deployment
• Use sandbox violations to identify over-privileged code

Security Hardening

• Default Deny: Start with no permissions, add only what's needed
• Layered Security: Combine with file system permissions
• Regular Audits: Review sandbox logs for violations
• Incident Response: Have plan for dealing with sandbox breaches
• Monitoring: Alert on sandbox violations indicating attack attempts

Common Configurations

• Shared Hosting: Strict file/datasource isolation, disable system access tags
• Internal Apps: More permissive, focus on data source separation
• Third-Party Code: Restrict file write, disable Java/COM access
• API Applications: Limit network access, restrict file operations

Common Issues and Solutions

Access Denied Errors

• Symptom: "Access denied by security sandbox" error
• Cause: Code attempting operation not permitted by sandbox
• Solution: Add necessary permission to sandbox or refactor code
• Debugging: Error message indicates which permission is needed
• Caution: Don't blindly add permissions - understand why code needs access

Template Not Found

• Symptom: cfinclude/cfmodule cannot find template
• Cause: Sandbox lacks execute permission for template location
• Solution: Add execute permission for required directory
• Alternative: Move shared templates to sandboxed directory

Data Source Access Denied

• Symptom: Cannot execute queries against datasource
• Cause: Data source not in sandbox's allowed list
• Solution: Add datasource to sandbox permissions
• Verification: Ensure datasource name spelled correctly

File Upload Failures

• Symptom: cffile action="upload" fails
• Cause: No write permission for upload destination
• Solution: Add write permission for upload directory
• Also Check: File system permissions on OS level

Sandbox Not Taking Effect

• Symptom: Restrictions not being enforced
• Cause: Incorrect directory path or sandbox disabled
• Verification: Check "Enable Sandbox Security" is enabled
• Path Match: Ensure sandbox path matches application webroot
• Restart: Some changes require ColdFusion restart

Testing Sandbox Configuration

Test File Access

// Test read access
try {
    fileContent = fileRead("/path/to/test/file.txt");
    writeOutput("Read access: OK<br>");
} catch (any e) {
    writeOutput("Read access: DENIED - " & e.message & "<br>");
}

// Test write access
try {
    fileWrite("/path/to/test/write.txt", "test");
    writeOutput("Write access: OK<br>");
} catch (any e) {
    writeOutput("Write access: DENIED - " & e.message & "<br>");
}

<!--- Test read access --->
<cftry>
    <cfset fileContent = fileRead("/path/to/test/file.txt")>
    <cfoutput>Read access: OK<br></cfoutput>
    <cfcatch type="any">
        <cfoutput>Read access: DENIED - #cfcatch.message#<br></cfoutput>
    </cfcatch>
</cftry>

<!--- Test write access --->
<cftry>
    <cfset fileWrite("/path/to/test/write.txt", "test")>
    <cfoutput>Write access: OK<br></cfoutput>
    <cfcatch type="any">
        <cfoutput>Write access: DENIED - #cfcatch.message#<br></cfoutput>
    </cfcatch>
</cftry>

Test Data Source Access

// Test datasource access
try {
    queryExecute("SELECT 1 as test", {}, {datasource: "myDatasource"});
    writeOutput("Datasource access: OK<br>");
} catch (any e) {
    writeOutput("Datasource access: DENIED - " & e.message & "<br>");
}

<!--- Test datasource access --->
<cftry>
    <cfquery name="testQuery" datasource="myDatasource">
        SELECT 1 as test
    </cfquery>
    <cfoutput>Datasource access: OK<br></cfoutput>
    <cfcatch type="any">
        <cfoutput>Datasource access: DENIED - #cfcatch.message#<br></cfoutput>
    </cfcatch>
</cftry>

Test Tag Restrictions

// Test if cfexecute is disabled
try {
    cfexecute(name="cmd", arguments="/c echo test", timeout="1");
    writeOutput("cfexecute: ENABLED (security risk)<br>");
} catch (any e) {
    writeOutput("cfexecute: DISABLED (secure)<br>");
}

<!--- Test if cfexecute is disabled --->
<cftry>
    <cfexecute name="cmd" arguments="/c echo test" timeout="1"></cfexecute>
    <cfoutput>cfexecute: ENABLED (security risk)<br></cfoutput>
    <cfcatch type="any">
        <cfoutput>cfexecute: DISABLED (secure)<br></cfoutput>
    </cfcatch>
</cftry>

Performance Considerations

Sandbox Performance Impact

• Overhead: Minimal performance impact (1-3%)
• Check Cost: Each file/datasource access triggers permission check
• Caching: ColdFusion caches sandbox checks for performance
• Recommendation: Security benefits far outweigh minor overhead

Optimization Tips

• Use specific paths rather than wildcards when possible
• Minimize number of different directories accessed
• Group permissions logically
• Avoid overly complex sandbox hierarchies

Compliance and Regulations

PCI-DSS Requirements

• Requirement 6.5: Prevent common coding vulnerabilities
• Sandbox security provides defense-in-depth
• Isolate payment processing code from other applications
• Restrict data access to only necessary systems

HIPAA Compliance

• Access controls for protected health information (PHI)
• Sandboxes enforce application-level isolation
• Prevent unauthorized PHI access between applications
• Audit sandbox violations as potential security incidents

Multi-Tenancy Requirements

• Data isolation between tenants
• Prevent cross-tenant data access
• Logical separation using sandboxes
• Compliance with data residency requirements

Related Resources