What is spy.js often seen in the console - spy

Sorry if this is obvious but i cannot find a straight forward answer on the net so far...
What exactly is spy.js?
I keep seeing it in the console sometimes of firefox or chrome... is it somehow related to spry.js
I understand that spry is a js framework from adobe though..

spy.js is file within a firebug based development tool meant for debugging a website with nice tools (http://code.google.com/p/fbug/source/browse/branches/firebug1.4/content/firebug/spy.js?r=2796)
My guess is that spry, an ajax framework, is at times calling some jsonp that uses functions defined inside of spy.js, thus throwing a console error for the missing file if it wasn't properly loaded.
Checking that all of your dependencies are properly loaded will likely solve the problem. But i'm just guessing.

Related

Unable to ES6 import ChartJS plugin into Aurelia

I'm using chart.js in my Aurelia application and it works fine.
I now want to add the chartjs-plugin-deferred plugin as well, and after having npm install:ed it and added it to aurelia.json's dependencies array I now get the following error:
Uncaught TypeError: Cannot read property 'helpers' of undefined
Pointing to the first couple of lines in the plugin code:
var Chart = window.Chart;
var helpers = Chart.helpers;
(Note that I don't even need to use the plugin (import 'chartjs-plugin-deferred'; for the error to appear; as soon as it's added to aurelia.json I get errors).
If I add a console.dir(window.Chart) before the lines that throw errors it is in fact not undefined, and if I try to use the plugin in my charts it actually works fine.
Can someone explain why this error occurs and if there's some way I can get rid of it? I feel uncomfortable shipping code that, while it works as it should, throws errors in the console.
I'm a huge fan of npm and imports etc but more often than not you run into issues such as these which imo is such a hassle and actually makes me miss the good old days of just piling script elements on top of each other.
Edit: I tried with a couple more plugins just to see if perhaps the deferred plugin was the issue here, but every other plugin I tried completely kills the build.
Does anyone have experience importing ChartJS and a ChartJS plugin into Aurelia successfully?
The issue at hand is that the library does not provide any meaningful way to jump in with a module loader and properly first fully load the dependency ChartJS before carrying on with the execution.
It would be the best if the library could wrap its code in a UMD compatible format to satisfy the most common formats at once, amongst those RequireJS, which is used for the Aurelia CLI.
I see you've created a Github Issue, including the libraries author as well. Good work, I've created a small PR to add the missing feature, which then also makes the example work, without throwing the missing helper error.

Dajaxice randomly stops working

So i have a Django project where I'm using Dajax and Dajaxice. The project runs well (being served locally using python manage.py runserver) but when I started it up again the next day (with no changes made to any files). The Dajaxice just stopped getting generated/parsed/served (I'm not sure what's wrong). This results in none of my Dajax methods in ajax.py getting called. Again, no settings or configuration or code was changed from a previously running instance of the project.
Here are the error messages various browsers show
Chrome
Resource interpreted as Script but transferred with MIME type application/octet-stream: "http://localhost:8000/modmap/static/dajaxice/dajaxice.core.js".
Firebug on Firefox
#onloading the html with dajaxice script
SyntaxError: syntax error
{% load url from future %}
#on trying to trigger a dajax function
ReferenceError: Dajaxice is not defined
Safari
#on loading page
SyntaxError: Unexpected token '%'
#on triggering method
ReferenceError: Can't find variable: Dajaxice
Interestingly enough, when I access the site through Chrome, whatever was working before the "disaster" works but if I write a new method in ajax.py and call it, it doesn't. I'm thinking that the new method doesn't get registered because the dajaxice.core.js script is not getting generated as it should each time. But on Firefox and Safari, none of the methods work. I also think that my static files are being served up fine because the dajax script gets loaded as it should.
I have read all the documentation and Q/A I could find but just can't seem to trace the source of my problem. I'd really appreciate if someone could point me in the right direction.
EDIT : collectstatic registered new functions too. Everything works on Chrome. Nothing works on Safari and Firefox. I'm starting to think this is a browser compatibility issue but I doubt myself when I think that without any change in the versions of anything, stuff used to seamlessly work on Safari and Firefox too.
Actually dajax and dajaxice are anymore improved so it is unwise to use them:
Should I use django-dajax or django-dajaxice?
In a word, No. I created these projects 4 years ago as a cool tool in
order to solve one specific problems I had at that time.
These days using these projects is a bad idea. (...) If you want to
use this project, you are probably wrong. You should stop couplig your
interface with your backend or... in the long term it will explode in
your face.

CF Admin showing the root website

My CFIDE just went crazy this morning and I can't locate the what is causing this. When I log in from example.com/cfide/administrator/index.cfm some of the tabs on the left work fine and some are showing the index page of example.com like in an iframe... I restarted the app server but the issue is still there. Any recommendations on how to debug this thing?
So for posterity here is what we found.
There are two possibilities of exploits that could be affecting you:
the bitcoin exploit (miner.d)
the ckeditor file upload exploit (this is the h.cfm file)
There are others but these are common and known. Both tap underlying java to unfold work that either calls something more sinister, delivers server meta data or unrolls a scheduled task to fireoff worker bees to consume resources doing something the admin is unaware of.
So as we discovered we have a varietal of this h.cfm called fusebox.cfm (obfuscated with bonus encrypted CF5 garble). If you can open the file you will see that h.cfm file and open it you will see UGLY and Obfuscated code but not very sophisticated. A lot can be revealed by a coder's code and if you deconstruct and format this particular code you will discern that the developer is not native to CF, and jumps from script style to CMFL style (in caps no-less).
(here is the Stack Overflow link with the raw code (be careful))
It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites. (because one loaded something on my system that raised an antivirus alert).
The file may be unreadable so here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. (I'm pretty sure it will look similar to that code in the SO link I pasted above).
Post mortum: One more coldfusion serve saved from villainy. Remember, it never hurts to run through your systems and see if anything can be found like this. It also never hurts to make things a little more difficult for would be server exploiters ;)

Is there any reliable Static Code Analysis Tool available for ColdFusion?

From last few day , I was searching for static code analysis tool for ColdFusion. I have not got a good one till now. I found two.
YASCA
https://code.google.com/p/cf-metrics/
From YASCA I was getting only XSS alerts and some alerts for session mgmt, nothing more than that. I have tried with my entire project.
I am not even able to properly install cf-metrics using ColdFusion10 , After putting the required jar file in the lib folder I was not able to access any one my IIS site
because of some isapi redirect isse.
Any other tools available?
If you're still looking for a ColdFusion Linter, I would recommend CFLint. It's hosted on GitHub and Maven. The parser was updated to use ANTLR4, so it's much faster than previous editions. We're also making it easier to customize than JSLint.
I've looked at this a couple of times in the past, as I maintain a large CF application.
Each time I looked I was unable to find anything suitable. I spent a while looking into using the Railo CFML parser (because it's open source) to build something ourselves and concluded at the time that it was possible, but was no small task.
You may be able to re-examine the Railo approach, but feed the AST from Railo into an existing code analysis tool. I never got that far, but it may be possible to an extent.
I'd love to hear different, but the short answer is that there's not much out there.

Can I get the source of a hacked Coldfusion template?

We recently had a hacker gain access to our system. They dumped some Coldfusion templates and included them in random pages on our sites.
The files they dump start with Allaire Cold Fusion Template and then contain what appears to be "garbage", but I believe that this is some kind of pre-compiled Coldfusion code.
We've cleared out the hacks, but I saved off the files because I was hoping that there would be some way to de-compile them and maybe make some sense of them. Although I think the hack is dealt with, I am a little worried about what this code was doing. (When I looked at the source of a page that included this code, it created no output, so something had to be going on in the background.)
If there isn't a way, that's cool, I just thought I would at least investigate the possibility of seeing what these files were doing. Thanks in advance for any help.
Wow, you have awakened some of my "old" brain cells... Way back when you could encrypt your ColdFusion templates and they could still be run on a ColdFusion server. This encryption was not very secure as the decrypting algorithm was readily available. It was/is an easy way to "hide" your code from the unknowing (I guess).
I did a quick Google search and found an old reference to a decrypt function on Adobe's site that may help "crack" that code. AB Positive Encrypt and Decrypt I believe their code would have to be encrypted this way otherwise the ColdFusion server would not be able to read the files either. This download includes the cfdecrypt.exe and cfencode.exe programs.
If that tool does not work and if I remember correctly, the ColdFusion encryption before CFMX was done using something called CFCrypt.exe. That was an older versions of ColdFusion I think but you can try using that too. I couldn't find it but I'm sure if you Google for it can be found.
Please post back with your results. I'm interested to see what they were doing.
There is a program out there cfdecrypt that will help you decompile them. I haven't used it in years, but here is a link I found to a github project:
https://github.com/disccomp/cfdecrypt