Update: There's an updated blog post with more current results here: 

http://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net

I get tired of people on complaining about ColdFusion as a technology choice because it's "so insecure".   I regularly am told that it has more holes, more vulnerabilities, and a worse track record than other platforms. That's why I compiled this quick chart showing the number of Common Vulnerabilities and Exposures (CVE) by year for CF as well as PHP and Java (as reported by cvedetails.com) which are two of the most-used languages on the web.  I also threw in Apache Tomcat for comparison since it completes in the web space and CF10 actually runs on a version of it.

Click to enlarge

So to break this down, the red line riding out on top with a huge spike in 2007, that's PHP.  The purple line coming out of the backfield for a solid lead (?) at the end is Java.  The yellow line is Tomcat who still manages 10-15 vulns a year (and the only one to go LOWER than CF.  And that green line on the bottom with the lowest number of vulns every year, and nothing even reported until 2006- that would be CF.

So, sure-- there's a lot more info than just the counts on the chart.  My point also isn't that PHP or Java are bad-- I'm just trying to make the point that oft-used technologies are targeted by crackers and nobody is perfect.  And according to this data, CF is doing way better than several of the main techs out there.  It should also be noted that CF, Java, and PHP were all created the same year-- 1995, so don't give me any of this "old" crap either.  (Tomcat was created in 1999)

References:

• http://en.wikipedia.org/wiki/Timeline_of_programming_languages
• http://en.wikipedia.org/wiki/Apache_Tomcat
• http://www.cvedetails.com/vendor/74/PHP.html
• http://www.cvedetails.com/product/8739/Adobe-Coldfusion.html?vendor_id=53
• http://www.cvedetails.com/product/1526/SUN-JRE.html?vendor_id=5
• http://www.cvedetails.com/product/887/Apache-Tomcat.html?vendor_id=45

In my last entry, CFML, Meet Runnable.com For Live Code Sharing, I talked about what Runnable.com is and why it's worth looking into for anyone who's looking for a nice platform to publish live working code samples that people can launch in their web browser.    Today I'd like to cover the steps I took to getting CFML working on Runnable as well as gotcha's and other bits that weren't immediately obvious.  The great thing is, you don't have to know most of this to publish your own code!  Just click on one of my Runnables, click the "Save Draft" button, change the name, description, and code to your liking, and then Publish it!  You don't have to start from scratch; you can spring board off of my work.  For those of you who want to do it your way or are just curious, keep reading.

As discussed in the first post, each runnable is stored as a template of a Linux server called a "container" and is managed by a technology called Docker.io.  When a user comes to the site and clicks a runnable, a unique lightweight "instance" will be spawned from the container template just for that user.  This instance actually runs inside of a master linux instance that it shares resources with, but it is completely isolated from all other instances.  It will also be destroyed when the user leaves their web page.  As such, site users have root access to this instance and can run whatever commands and write whatever code they want, but they are isolated to their instance and securing the runnable is not necessary.

Here's a list of items in no particular order that I wish were documented somewhere on the site when I started:

Getting Started

• If you want to start from scratch, visit http://runnable.com/new and click "bash". 
• If you want to start from an existing runnable, view it and click "Save Draft"
• You will need to create an account to make a runnable, but that makes sense
• Edit the title of the runnable by clicking the pencil icon.  Make sure you hit save!
• Edit the description of the runnable by clicking the pencil icon.  Make sure you hit save!  I have put in a suggestion that this allow rich text

Managing Files

• The folder icon in the upper righthand corner will open a file explorer.  You can created folders and files here.  Click on a file to open it.  
• Right click on a file and choose "Set Open by Default" for that file to default to being open in a tab when people visit your runnable
• The editor has decent color coding and does allow you to copy paste in it.
• The default folder for the file manager is /root.  You cannot change this, but if you ask Runnable, they will
• The runnable guys can also filter what files and folders show up if you ask them.

Using The Terminal

• Below is the terminal with a bash prompt.  Hit the icon to the right of the word "Terminal" to pop out into a new full screen tab.
• You can copy text by highlighting and right-clicking
• If you edit a command at the shell prompt it will appear as though it has overwritten your text.  Have no fear.  Press the "end" key on your keyboard and it will fix itself.
• uname -a returns
  Linux runnable 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Installing Software

• You can use wget to download whatever installers you want
• You can use apt-get to install whatever packages you want
• You can install Git and clone repos (This is what I do)
• As far as the server you set up, the world is your oyster.  Any servlet container, CFML engine, and configuration is valid as long as it runs on Ubuntu.
• Note, I had issues getting the Railo Linux installer to run.  I have logged this issue with the Runnable guys.
• I installed Tomcat via apt-get and deployed Railo as a WAR file in the root context.  To do this, delete the folder called ROOT under /var/lib/tomcat/webapps, rename the Railo file to ROOT.jar and place it in the webapps folder.  After a few seconds, Tomcat will pick it up and explode it out.  The /var/lib/tomcat7/webapps/ROOT folder is your new web root.  I asked the Runnable guys to default the editor file explorer to there.
• If you have them disable Apache, you can bind Tomcat to port 80 but I just set up a reverse proxy so I could use Apache's rewrite module.

Configuring CFML

• The config for the default Apache site is located in /etc/apache2/sites-available/ in a file called "default".  
• By default the web root is /var/www.  I changed the DocumentRoot directive and <Directory> tag to /var/lib/tomcat7/webapps/ROOT
• I also changed the DirectoryIndex directive to index.cfm
• I created a file called "railo.conf" in the /etc/apache2/conf.d directory.  It is automatically included.
• Inside I set up my proxy to the standard AJP port:

  <Proxy *>
  Allow from 127.0.0.1
  </Proxy>
  ProxyPreserveHost On
  ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://localhost:8009/$1$2

• Check in /etc/apache2/mods-enabled and if proxy.conf, proxy.load, and proxy_ajp.load aren't listed, enable them with a2enmod
  sudo a2enmod module_name
• Tomcat web config is located In /etc/tomcat7/server.xml 
• Uncomment the AJP connector on port 8009
• The web root is configured in the <host> block.  Check it if you're going somewhere different than the default context.
• When "running", if you break the page out of the frame, you can access the Railo administrator at the usual URL by adding /railo-context/admin/server.cfm to the end of the URL
• I didn't set the Railo password, but there's not security concern if someone accesses it since the entire instance is unique to them.

Running Code

• For a web framework, you don't need to change the "Run cmd" or "Build cmd" options that drop down on the "Run" button.  
• I would also recommend setting "Only Web" which will not show the terminal window along side the web page output.
• When the Run button is pressed, a new window will open that hits your instance in an iframe.  A DNS name will be created on the fly that uses a GUID to make it unique.  You can click an icon to open your runnable address directly in the main browser tab.
• Basically, whatever is spit back on port 80 in the web root is what the user will see.  There is currently no way to have the "run" button target a specific URL or query string, but I have requested that.
• If everything is set up correctly, you should see your default page rendered.  If you've copied one of my runnables it will just work :)
• Your sample can have multiple pages that the user navigates between.  You can have an entire site if you want!  I like to have instructions on the first page, and then links to view additional pages that show code running.
• Your pages can submit forms, upload files-- there really aren't any restrictions.

Gotchas

• You cannot paste text into the terminal window.  This is VERY annoying.
• A very slick workaround if you need to download an extremely long URL is to shorten the URL with a URL shortner.  wget will follow the 302 redirect automatically and it's much less typing.
• You cannot SSH directly to the instance via PuTTy.  I have suggested they allow this.
• Apache is automatically running and bound to port 80.  The runnable guys can disable that, but you can't.  Whatever you do, it will come back.
• Port 80 is the ONLY externally-accessible port.  That means you can't run Tomcat on 8080, etc.
• Tomcat will NOT start by default and there's nothing you can do to fix it.  E-mail the Runnable guys and ask them to change your instance startup script to include Tomcat and they will happily oblige.
• Tomcat takes a few seconds to spin up and Apache will throw a 503 the first time someone hits it.  I have reported this issue, and in the mean time I placed a custom ErrorDocument directive in /etc/apache2/sites-enabled/default like so:

  ErrorDocument 503 "<meta http-equiv=\"refresh\" content=\"1\">Loading..."

  This overrides Apache's default 503 error page with one that simply says "Loading..." and refreshes every second until Tomcat and Railo are ready to serve requests.
• Runnables don't have access to public DNS so don't try to CFHTTP to cgi.server_name in your code as it won't resolve. localhost will work. (Ran into this on the HTTP Runner for TestBox)
• Runnables are case sensitive-- good to remember if you're developing the examples on windows.
• Your account won't be able to publish at first.  Just E-mail, Tweet, or fill out their contact form and they'll approve you.

Git Workflow

• I have created a GitHub account called cf-runnable to store my samples: https://github.com/cf-runnable  Feel free to star, fork, and send pull requests to me.
• I installed git-core with apt-get and clone the repo down into the web root.
• No authentication is needed via this method so I don't have to worry about accidently leaving an SSH key on the runnable.
• I created a bash script I called .setup and placed in the web root with this code in it:

  #!/bin/bash
  
  # Clean up dir
  find . ! -name .setup ! -path ./WEB-INF\* -delete
  
  # Clone repo into sub dir
  git clone http://github.com/cf-runnable/$1 ./__tmp
  mv -f __tmp/* ./
  rm -R __tmp

  Git repos can't be cloned into a non-empty directory, so what I do is delete everything in the web root but the script and WEB-INF.  Then I clone the repo into a folder called __tmp, move the files into the web root, and delete the temp folder
  To pull down the code for a runnable sample, simply run:

  $> ./.setup CFML_Templating_With_Tags

• DON'T DELETE THE WEB-INF FOLDER.  Doing so will remove Railo and CFML will stop processing.  If you do this on accident, remove the entire ROOT folder, and restart Tomcat.  It should redeploy the Railo WAR.  My .setup script is located in the "admin" repo for cf-runnable.  You can easily modify it to point to your own repo.

• So the process for creating a new runnable is fairly straight forward for me.  I create a new repo and copy over my last project into it including my .gitignore file.  I set up my tutorial on my local install of Railo and when I'm done, commit and push to GitHub.  Then I simply clone another runnable on the site with "Save Draft", edit the title and description and run "./.setup Repo_Name" from the command line and I'm done

Conclusion

That's enough of a brain dump for now.  Runnable is basically as flexible as you could want it to be.  Don't be scared away by all the stuff I typed here.  Most of it is already done for you so go play around with one of my runnables and get your feet wet.  I'll be adding more tutorials-- mostly centered around ColdBox and other Box libraries soon.  I think Runnable.com can be a very cool platform for the CFML community to publish example code on.

Here's some of the runnables I've created.  The full list will always be here.

• Use Wirebox to Create Objects in Coldbox
• Use Wirebox to Autowire Objects in Coldbox
• Testbox Samples
• Change Default Coldbox Error Page
• Contentbox Modular CMS Demo

If you're lucky, and by lucky I mean smart, you have FusionReactor installed on your server.  The breadth and usefulness of the information afforded by the tool (especially when it comes to memory and garbage collection) is lost on most who use it.  On some occasions you may find yourself needing to pull some memory numbers on an old server (or maybe just someone else's server) who doesn't have any tools installed.  I found myself in this situation the other day when tweaking an old legacy server.  It's sharing 1GB of ram between CFMX7, Railo, Apache, MySQL, and Linux.  It actually operates pretty good on so little memory.  After converting a couple of the legacy sites over to ContentBox which utilizes ORM and in-memory caching for performance I needed to tweak the heap space to be a bit bigger in Railo but I needed to decrease something else to make room. 

Now, this old server doesn't have FusionReactor installed, but it does have SeeFusion and while that tells me the usage of my heap space it doesn't show me the amount of permanent generation that's in use.  Remember, perm gen is stored outside of heap so the total memory footprint  of CF will roughly be heap + permgen.  (Of course, that comes with a few caveats, namely that you're actually using a JVM with a permanent generation!)

I wanted to trim down the perm gen space on CF and Railo to make room for a bigger heap.  I knew what the starting and max perm gen sizes were from my -XX:PermSize and -XX:MaxPermSize JVM args, but I didn't know how much of that was actually being used!  Of course, I could enable verbose GC logging, but that's a lot of work to parse through and I would have to restart the server and wait for the JVM to "warm up" again.  Instead I used a Java class called ManagementFactory.  This class will give you stats on each of your memory spaces in including your new and old generations (part of the heap).  Based on your JVM and your garbage collector in use, you will see different names for the memory spaces, but this bit of code will get you started to see how many MB of space are currently allocated and how much of that allocated space is in use.  Keep in mind that perm gen is not typically garbage collected, so once it goes up you won't see it go down.

<cfscript>
iter = createObject("java","java.lang.management.ManagementFactory").getMemoryPoolMXBeans().iterator();
while (iter.hasNext())
{
    item = iter.next();
    name = item.getName();
    type = item.getType().toString();
    used = item.getUsage().getUsed()/1024/1024;
    max = item.getUsage().getMax()/1024/1024;
    
    writeOutput("#name# (#type#)<br>");
    writeOutput("#round(used)#MB / #round(max)#MB <br><br>");
}
</cfscript>

Here is the output from my local CF10 install.

Code Cache (Non-heap memory)
5MB / 48MB 

PS Eden Space (Heap memory)
82MB / 150MB 

PS Survivor Space (Heap memory)
6MB / 92MB 

PS Old Gen (Heap memory)
363MB / 683MB 

PS Perm Gen (Non-heap memory)
83MB / 512MB

Try dumping out the Java object that comes back from getUsage() and see what other methods you can call.  Hint, getUsage().toString() is a good place to start.

You may have seen be tweeting about Runnable.com this week.  I've spent a decent amount of time figuring out how their platform works and getting CFML (Railo) running on it.  Basically, Runnable.com is CFLive.net, trycf.com, and JSFiddle.net all mashed up and super cool.  In short, the platform lets developers post any code samples they want for any database/language/framework up on the Internet so other developers can come along and not only read their code, but run it right there in the browser.  It doesn't stop there, other developers and fiddle with the original code and run the new version right there on the site to figure out how it works.  

It's all possible with Docker.io, a cool virtualization platform I just learned about, and Runnable has the whole thing running on top of Amazons EC2.  Basically, each code sample is an entire Linux VM with whatever installed on it that the publisher wanted to set up.  The template of this VM is stored and every time a visitor comes to the site and wants to check out that code sample, a dedicated VM is spun up in seconds just for that user.  Docker.io allows them to simultaneously service hundreds of users because it shares overlapping resources between the VMs so they're very lightweight and come online in seconds.

And since each user gets their own isolated playground, there's no sandbox security to worry about.  In fact, each code page has an emulated bash shell with root privileges at the bottom of the page!  Any local changes made by the visitors of the site, are discarded after they close their browser and the session times out.  The code samples aren't limited to a single file of code-- publishers can create tutorials to demo entire frameworks, with multiple files. Need a database?  Install one.  Need Tomcat? Install it.

So, speaking of Tomcat-- this is where ColdFusion comes in.  Runnable's Twitter account popped into a recent conversation and urged us to get CFML setup, so i took the task and ran with it.  Due to some issue with the Railo installer which they're looking at, I installed Tomcat 7 with apt-get and deployed Railo 4.1 as a WAR file in the root context.  The Runnable guys were super helpful.  They exchanged several E-mails with me and even chatted on Skype for an hour last week answering questions, tweaking my setup, and writing down suggestions.  

I published a proof-of-concept Runnable called CFML Templating With Tags and then a more involved followup called Use WireBox To Create Objects In ColdBox.  I've also created a new GitHub organization called cf-runnable to store all my tutorials.  Feel free to send me pull requests, or ask to collaborate and store your CFML runnables there as well.  Now, what's really, REALLY cool about Runnable is anyone can clone one of my tutorials, make it their own, and re-publish it under their name.  That means no one else has to reinvent the wheel to start putting cool code up on Runnable-- I've already figured a lot of it out and you can springboard off of what I've done, or dive in fresh yourself.

So this is the intro to a blog series I'm going to do how how I got Runnable working with CFML, what little speedbumps I've hit, and how I've been integrating with GitHub to version and host my code.  I have a lot of ideas for Runnable- both improvements for them (like beefier descriptions, and embeddable runnables) and ColdBox-themed tutorials I want to create to let people play around with simple examples and how-to's.  Stay tuned!