boxlang-securitylisted

Use this skill when reviewing BoxLang code or applications for security vulnerabilities, configuring security settings, preventing injection attacks, handling file uploads safely, managing secrets, or applying secure coding patterns drawn from OWASP Top 10 and CFML/Java security history.
ortus-boxlang/skills · ★ 0 · Code & Development · score 58

Install: claude install-skill ortus-boxlang/skills

# BoxLang Security ## Overview BoxLang inherits both the power and the historical attack surface of ColdFusion/CFML and the JVM. This skill documents security patterns and runtime controls to help build secure applications from the ground up. --- ## Runtime Security Configuration (`boxlang.json`) ```json5 "security": { // Regex patterns — prevent dangerous Java class access "disallowedImports": [ "java\\.lang\\.(ProcessBuilder|Runtime)", "java\\.io\\.(FileWriter|PrintWriter)", "java\\.lang\\.reflect\\." ], // BIFs that should be disabled in production web apps "disallowedBifs": [ "createObject", "systemExecute", "getSystemInfo" ], // Components that should be disabled in production "disallowedComponents": [ "execute" ], // Prevent system properties from leaking into server scope "populateServerSystemScope": false, // Explicit upload whitelist (overrides disallowed list) "allowedFileOperationExtensions": [ "jpg", "png", "pdf", "docx" ], // Dangerous executable extensions blocked on file upload and copy/move "disallowedFileOperationExtensions": [ "exe", "bat", "sh", "bx", "bxm", "bxs", "php", "jsp", "jar", "dll" ] } ``` --- ## Injection Prevention ### SQL Injection **NEVER** build SQL with string concatenation. Always use QueryParam: ```boxlang // BAD — SQL injection vulnerability var result = queryExecute( "SELECT * FROM users WHERE emai