mirror of https://github.com/apache/archiva.git
fix more selenium tests no need to wait server response for client side validation
git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1172554 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
b2837be655
commit
22870274ca
|
@ -30,55 +30,67 @@ public class AppearanceTest
|
||||||
{
|
{
|
||||||
goToAppearancePage();
|
goToAppearancePage();
|
||||||
clickLinkWithText( "Edit" );
|
clickLinkWithText( "Edit" );
|
||||||
addEditAppearance( "", "", "" );
|
addEditAppearance( "", "", "", false );
|
||||||
assertTextPresent( "You must enter a name" );
|
assertTextPresent( "You must enter a name" );
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test( dependsOnMethods = { "testAddAppearanceEmptyValues" })
|
@Test( dependsOnMethods = { "testAddAppearanceEmptyValues" } )
|
||||||
public void testAddAppearanceInvalidValues()
|
public void testAddAppearanceInvalidValues()
|
||||||
{
|
{
|
||||||
addEditAppearance( "<>~+[ ]'\"" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" );
|
addEditAppearance( "<>~+[ ]'\"", "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"",
|
||||||
assertTextPresent( "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
"/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"", false );
|
||||||
|
assertTextPresent(
|
||||||
|
"Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
||||||
assertTextPresent( "You must enter a URL" );
|
assertTextPresent( "You must enter a URL" );
|
||||||
assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 2);
|
//assertXpathCount( "//tr errorfor='saveAppearance_organisationUrl'", 1 );
|
||||||
|
assertXpathCount( "//span[@class='errorMessage/text()='You must enter a URL']", 1 );
|
||||||
|
assertTextPresent( "You must enter a URL for your logo" );
|
||||||
|
assertXpathCount( "//span[@class='errorMessage/text()='You must enter a URL for your logo']", 1 );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test( dependsOnMethods = { "testAddAppearanceInvalidValues" })
|
@Test( dependsOnMethods = { "testAddAppearanceInvalidValues" } )
|
||||||
public void testAddAppearanceInvalidOrganisationName()
|
public void testAddAppearanceInvalidOrganisationName()
|
||||||
{
|
{
|
||||||
addEditAppearance( "<>~+[ ]'\"" , "http://www.apache.org/" , "http://www.apache.org/images/asf_logo_wide.gifs" );
|
addEditAppearance( "<>~+[ ]'\"", "http://www.apache.org/", "http://www.apache.org/images/asf_logo_wide.gifs",
|
||||||
assertTextPresent( "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
false );
|
||||||
}
|
assertTextPresent(
|
||||||
|
"Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
||||||
@Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationName" })
|
|
||||||
public void testAddAppearanceInvalidOrganisationUrl()
|
|
||||||
{
|
|
||||||
addEditAppearance( "The Apache Software Foundation" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" , "http://www.apache.org/images/asf_logo_wide.gifs" );
|
|
||||||
assertTextPresent( "You must enter a URL" );
|
|
||||||
assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 1);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationUrl" })
|
@Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationName" } )
|
||||||
public void testAddAppearanceInvalidOrganisationLogo()
|
public void testAddAppearanceInvalidOrganisationUrl()
|
||||||
{
|
{
|
||||||
addEditAppearance( "The Apache Software Foundation" , "http://www.apache.org/" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" );
|
addEditAppearance( "The Apache Software Foundation", "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"",
|
||||||
assertTextPresent( "You must enter a URL" );
|
"http://www.apache.org/images/asf_logo_wide.gifs", false );
|
||||||
assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 1);
|
assertTextPresent( "You must enter a URL" );
|
||||||
|
assertXpathCount( "//span[@class='errorMessage/text()='You must enter a URL']", 1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationLogo" })
|
@Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationUrl" } )
|
||||||
public void testAddAppearanceValidValues()
|
public void testAddAppearanceInvalidOrganisationLogo()
|
||||||
{
|
{
|
||||||
addEditAppearance( "The Apache Software Foundation" , "http://www.apache.org/" , "http://www.apache.org/images/asf_logo_wide.gifs" );
|
addEditAppearance( "The Apache Software Foundation", "http://www.apache.org/",
|
||||||
assertTextPresent( "The Apache Software Foundation" );
|
"/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"", false );
|
||||||
}
|
assertTextPresent( "You must enter a URL" );
|
||||||
|
assertXpathCount( "//span[@class='errorMessage'/text()='You must enter a URL']", 1 );
|
||||||
|
}
|
||||||
|
|
||||||
@Test( dependsOnMethods = { "testAddAppearanceValidValues" })
|
@Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationLogo" } )
|
||||||
public void testEditAppearance()
|
public void testAddAppearanceValidValues()
|
||||||
{
|
{
|
||||||
clickLinkWithText( "Edit" );
|
addEditAppearance( "The Apache Software Foundation", "http://www.apache.org/",
|
||||||
addEditAppearance( "Apache Software Foundation" , "http://www.apache.org/" , "http://www.apache.org/images/asf_logo_wide.gifs" );
|
"http://www.apache.org/images/asf_logo_wide.gifs", true );
|
||||||
assertTextPresent( "Apache Software Foundation" );
|
assertTextPresent( "The Apache Software Foundation" );
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test( dependsOnMethods = { "testAddAppearanceValidValues" } )
|
||||||
|
public void testEditAppearance()
|
||||||
|
{
|
||||||
|
clickLinkWithText( "Edit" );
|
||||||
|
addEditAppearance( "Apache Software Foundation", "http://www.apache.org/",
|
||||||
|
"http://www.apache.org/images/asf_logo_wide.gifs", true );
|
||||||
|
assertTextPresent( "Apache Software Foundation" );
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
|
@ -19,8 +19,8 @@ package org.apache.archiva.web.test;
|
||||||
* under the License.
|
* under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import org.testng.annotations.Test;
|
|
||||||
import org.apache.archiva.web.test.parent.AbstractArchivaTest;
|
import org.apache.archiva.web.test.parent.AbstractArchivaTest;
|
||||||
|
import org.testng.annotations.Test;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test all actions affected with XSS security issue.
|
* Test all actions affected with XSS security issue.
|
||||||
|
@ -31,97 +31,125 @@ public class XSSSecurityTest
|
||||||
{
|
{
|
||||||
public void testDeleteArtifactImmunityToURLCrossSiteScripting()
|
public void testDeleteArtifactImmunityToURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/deleteArtifact!doDelete.action?groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&repositoryId=\"/>1<script>alert('xss')</script>");
|
getSelenium().open(
|
||||||
|
"/archiva/deleteArtifact!doDelete.action?groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&repositoryId=\"/>1<script>alert('xss')</script>" );
|
||||||
assertDeleteArtifactPage();
|
assertDeleteArtifactPage();
|
||||||
assertTextPresent( "Invalid version." );
|
assertTextPresent( "Invalid version." );
|
||||||
assertTextPresent( "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
|
||||||
assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertElementValue("//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>");
|
assertTextPresent(
|
||||||
assertElementValue("//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>");
|
"Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertElementValue("//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>");
|
assertTextPresent(
|
||||||
assertElementValue("//select[@id='deleteArtifact_repositoryId']", "internal");
|
"Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDeleteArtifactImmunityToEncodedURLCrossSiteScripting()
|
public void testDeleteArtifactImmunityToEncodedURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/deleteArtifact!doDelete.action?groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&repositoryId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
|
getSelenium().open(
|
||||||
|
"/archiva/deleteArtifact!doDelete.action?groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&repositoryId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
|
||||||
assertDeleteArtifactPage();
|
assertDeleteArtifactPage();
|
||||||
assertTextPresent( "Invalid version." );
|
assertTextPresent( "Invalid version." );
|
||||||
assertTextPresent( "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
|
||||||
assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertElementValue("//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>");
|
assertTextPresent(
|
||||||
assertElementValue("//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>");
|
"Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertElementValue("//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>");
|
assertTextPresent(
|
||||||
assertElementValue("//select[@id='deleteArtifact_repositoryId']", "internal");
|
"Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testEditAppearanceImmunityToURLCrossSiteScripting()
|
public void testEditAppearanceImmunityToURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/admin/configureAppearance.action?organisationName=<script>alert('xss')</script>&organisationUrl=<script>alert('xss')</script>&organisationLogo=<script>alert('xss')</script>");
|
getSelenium().open(
|
||||||
|
"/archiva/admin/configureAppearance.action?organisationName=<script>alert('xss')</script>&organisationUrl=<script>alert('xss')</script>&organisationLogo=<script>alert('xss')</script>" );
|
||||||
assertAppearancePage();
|
assertAppearancePage();
|
||||||
assertXpathCount("//td[text()=\"<script>alert('xss')</script>\"]", 1);
|
assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
|
||||||
assertXpathCount("//code[text()=\"<script>alert('xss')</script>\"]", 2);
|
assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testEditAppearanceImmunityToEncodedURLCrossSiteScripting()
|
public void testEditAppearanceImmunityToEncodedURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/admin/configureAppearance.action?organisationName=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationUrl=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationLogo=%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
|
getSelenium().open(
|
||||||
|
"/archiva/admin/configureAppearance.action?organisationName=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationUrl=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationLogo=%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
|
||||||
assertAppearancePage();
|
assertAppearancePage();
|
||||||
assertXpathCount("//td[text()=\"<script>alert('xss')</script>\"]", 1);
|
assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
|
||||||
assertXpathCount("//code[text()=\"<script>alert('xss')</script>\"]", 2);
|
assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testAddLegacyArtifactImmunityToURLCrossSiteScripting()
|
public void testAddLegacyArtifactImmunityToURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=\"/>1<script>alert('xss')</script>&groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&classifier=\"/>1<script>alert('xss')</script>&type=\"/>1<script>alert('xss')</script>");
|
getSelenium().open(
|
||||||
|
"/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=\"/>1<script>alert('xss')</script>&groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&classifier=\"/>1<script>alert('xss')</script>&type=\"/>1<script>alert('xss')</script>" );
|
||||||
assertAddLegacyArtifactPathPage();
|
assertAddLegacyArtifactPathPage();
|
||||||
assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
|
"Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>");
|
"\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testAddLegacyArtifactImmunityToEncodedURLCrossSiteScripting()
|
public void testAddLegacyArtifactImmunityToEncodedURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&classifier=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&type=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
|
getSelenium().open(
|
||||||
|
"/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&classifier=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&type=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
|
||||||
assertAddLegacyArtifactPathPage();
|
assertAddLegacyArtifactPathPage();
|
||||||
assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
|
"Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>");
|
"\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
|
||||||
assertElementValue("//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>");
|
assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
|
||||||
|
assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDeleteNetworkProxyImmunityToURLCrossSiteScripting()
|
public void testDeleteNetworkProxyImmunityToURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=\"/>1<script>alert('xss')</script>");
|
getSelenium().open(
|
||||||
|
"/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=\"/>1<script>alert('xss')</script>" );
|
||||||
assertTextPresent( "Security Alert - Invalid Token Found" );
|
assertTextPresent( "Security Alert - Invalid Token Found" );
|
||||||
assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
|
assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testDeleteNetworkProxyImmunityToEncodedURLCrossSiteScripting()
|
public void testDeleteNetworkProxyImmunityToEncodedURLCrossSiteScripting()
|
||||||
{
|
{
|
||||||
getSelenium().open( "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
|
getSelenium().open(
|
||||||
|
"/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
|
||||||
assertTextPresent( "Security Alert - Invalid Token Found" );
|
assertTextPresent( "Security Alert - Invalid Token Found" );
|
||||||
assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
|
assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
|
||||||
}
|
}
|
||||||
|
@ -130,61 +158,83 @@ public class XSSSecurityTest
|
||||||
{
|
{
|
||||||
goToRepositoriesPage();
|
goToRepositoriesPage();
|
||||||
getSelenium().open( "/archiva/admin/addRepository.action" );
|
getSelenium().open( "/archiva/admin/addRepository.action" );
|
||||||
addManagedRepository( "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>" , "test\"><script>alert('xss')</script>" , "test\"><script>alert('xss')</script>", "Maven 2.x Repository", "", "-1", "101" );
|
addManagedRepository( "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
|
||||||
|
"test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
|
||||||
|
"Maven 2.x Repository", "", "-1", "101" );
|
||||||
// xss inputs are blocked by validation.
|
// xss inputs are blocked by validation.
|
||||||
assertTextPresent( "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
"Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
"Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
||||||
assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100.");
|
assertTextPresent(
|
||||||
assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0.");
|
"Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Invalid cron expression." );
|
assertTextPresent(
|
||||||
|
"Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
||||||
|
assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100." );
|
||||||
|
assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0." );
|
||||||
|
assertTextPresent( "Invalid cron expression." );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testEditAppearanceImmunityToInputFieldCrossSiteScripting()
|
public void testEditAppearanceImmunityToInputFieldCrossSiteScripting()
|
||||||
{
|
{
|
||||||
goToAppearancePage();
|
goToAppearancePage();
|
||||||
clickLinkWithText( "Edit" );
|
clickLinkWithText( "Edit" );
|
||||||
addEditAppearance( "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" );
|
addEditAppearance( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
|
||||||
|
"test<script>alert('xss')</script>", false );
|
||||||
// xss inputs are blocked by validation.
|
// xss inputs are blocked by validation.
|
||||||
assertTextPresent( "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
assertTextPresent(
|
||||||
|
"Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
||||||
assertTextPresent( "You must enter a URL" );
|
assertTextPresent( "You must enter a URL" );
|
||||||
assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 2);
|
assertXpathCount( "//span[@class='errorMessage' and text()='You must enter a URL']", 2 );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testEditAppearanceImmunityToCrossSiteScriptingRendering()
|
public void testEditAppearanceImmunityToCrossSiteScriptingRendering()
|
||||||
{
|
{
|
||||||
goToAppearancePage();
|
goToAppearancePage();
|
||||||
clickLinkWithText( "Edit" );
|
clickLinkWithText( "Edit" );
|
||||||
addEditAppearance( "xss" , "http://\">test<script>alert(\"xss\")</script>" , "http://\">test<script>alert(\"xss\")</script>" );
|
addEditAppearance( "xss", "http://\">test<script>alert(\"xss\")</script>",
|
||||||
|
"http://\">test<script>alert(\"xss\")</script>", false );
|
||||||
// escaped html/url prevents cross-site scripting exploits
|
// escaped html/url prevents cross-site scripting exploits
|
||||||
assertXpathCount("//td[text()=\"xss\"]", 1);
|
assertXpathCount( "//td[text()=\"xss\"]", 1 );
|
||||||
assertXpathCount("//code[text()='http://\">test<script>alert(\"xss\")</script>']", 2);
|
assertXpathCount( "//code[text()='http://\">test<script>alert(\"xss\")</script>']", 2 );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testAddLegacyArtifactPathImmunityToInputFieldCrossSiteScripting()
|
public void testAddLegacyArtifactPathImmunityToInputFieldCrossSiteScripting()
|
||||||
{
|
{
|
||||||
goToLegacySupportPage();
|
goToLegacySupportPage();
|
||||||
clickLinkWithText( "Add" );
|
clickLinkWithText( "Add" );
|
||||||
addLegacyArtifactPath( "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>");
|
addLegacyArtifactPath( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
|
||||||
// xss inputs are blocked by validation.
|
"test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
|
||||||
assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
"test<script>alert('xss')</script>", "test<script>alert('xss')</script>" );
|
||||||
assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
// xss inputs are blocked by validation.
|
||||||
assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
|
"Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testAddNetworkProxyImmunityToInputFieldCrossSiteScripting()
|
public void testAddNetworkProxyImmunityToInputFieldCrossSiteScripting()
|
||||||
{
|
{
|
||||||
goToNetworkProxiesPage();
|
goToNetworkProxiesPage();
|
||||||
addNetworkProxy( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "");
|
addNetworkProxy( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
|
||||||
// xss inputs are blocked by validation.
|
"test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
|
||||||
assertTextPresent( "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
"test<script>alert('xss')</script>", "" );
|
||||||
assertTextPresent( "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
|
// xss inputs are blocked by validation.
|
||||||
assertTextPresent( "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
assertTextPresent(
|
||||||
|
"Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
|
||||||
|
assertTextPresent(
|
||||||
|
"Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
|
||||||
assertTextPresent( "Invalid field value for field \"proxy.port\"." );
|
assertTextPresent( "Invalid field value for field \"proxy.port\"." );
|
||||||
assertTextPresent( "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
assertTextPresent(
|
||||||
|
"Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -480,12 +480,12 @@ public abstract class AbstractArchivaTest
|
||||||
assertLinkPresent( "Change your appearance" );
|
assertLinkPresent( "Change your appearance" );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void addEditAppearance( String name, String url, String logoUrl )
|
public void addEditAppearance( String name, String url, String logoUrl, boolean wait)
|
||||||
{
|
{
|
||||||
setFieldValue( "organisationName", name );
|
setFieldValue( "organisationName", name );
|
||||||
setFieldValue( "organisationUrl", url );
|
setFieldValue( "organisationUrl", url );
|
||||||
setFieldValue( "organisationLogo", logoUrl );
|
setFieldValue( "organisationLogo", logoUrl );
|
||||||
clickButtonWithValue( "Save" );
|
clickButtonWithValue( "Save", wait );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void goToHomePage()
|
public void goToHomePage()
|
||||||
|
|
|
@ -431,7 +431,8 @@ public abstract class AbstractSeleniumTest
|
||||||
|
|
||||||
public void assertXpathCount( String locator, int expectedCount )
|
public void assertXpathCount( String locator, int expectedCount )
|
||||||
{
|
{
|
||||||
Assert.assertEquals( getSelenium().getXpathCount( locator ).intValue(), expectedCount );
|
int count = getSelenium().getXpathCount( locator ).intValue();
|
||||||
|
Assert.assertEquals( count, expectedCount );
|
||||||
}
|
}
|
||||||
|
|
||||||
public void assertElementValue( String locator, String expectedValue )
|
public void assertElementValue( String locator, String expectedValue )
|
||||||
|
|
Loading…
Reference in New Issue