Apache/archiva
1
0
Fork 0
mirror of https://github.com/apache/archiva.git synced 2025-02-08 02:59:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add url validation for certain fields

Browse Source 
(cherry picked from commit a36035b49ba7d6514d6c386b51e1ad2512371b3d)
This commit is contained in:
Martin Stockhammer 2019-02-22 21:10:19 +01:00
parent a9ebba65ac
commit 890bca0be6
2 changed files with 58 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
View File

@ -35,9 +35,14 @@
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.maven.wagon.providers.http.HttpWagon; import org.apache.maven.wagon.providers.http.HttpWagon;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import org.springframework.util.ResourceUtils;
import javax.annotation.PostConstruct; import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy; import javax.annotation.PreDestroy;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
@ -320,16 +325,29 @@ public OrganisationInformation getOrganisationInformation()
return getModelMapper().map( organisationInformation, OrganisationInformation.class ); return getModelMapper().map( organisationInformation, OrganisationInformation.class );
} }
private void checkUrl(String url, String propertyName) throws RepositoryAdminException {
if ( StringUtils.isNotEmpty( url ) )
{
if ( !ResourceUtils.isUrl( url ) )
{
throw new RepositoryAdminException( "Bad URL in " + propertyName + ": " + url );
}
}
}
@Override @Override
public void setOrganisationInformation( OrganisationInformation organisationInformation ) public void setOrganisationInformation( OrganisationInformation organisationInformation )
throws RepositoryAdminException throws RepositoryAdminException
{ {
Configuration configuration = getArchivaConfiguration().getConfiguration(); checkUrl(organisationInformation.getUrl(), "url");
checkUrl( organisationInformation.getLogoLocation(), "logoLocation" );
Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
if ( organisationInformation != null ) if ( organisationInformation != null )
{ {
org.apache.archiva.configuration.OrganisationInformation organisationInformationModel = org.apache.archiva.configuration.OrganisationInformation organisationInformationModel =
getModelMapper().map( organisationInformation, getModelMapper( ).map( organisationInformation,
org.apache.archiva.configuration.OrganisationInformation.class ); org.apache.archiva.configuration.OrganisationInformation.class );
configuration.setOrganisationInfo( organisationInformationModel ); configuration.setOrganisationInfo( organisationInformationModel );
} }
else else

37
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
View File

@ -216,6 +216,43 @@ public void organisationInfoUpdate()
} }
@Test
public void badOrganisationInfoLogoLocation( )
{
try
{
OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
newOrganisationInformation.setLogoLocation( "'/><svg/onload=alert(/logoLocation_xss/)>" );
newOrganisationInformation.setName( "foo org" );
newOrganisationInformation.setUrl( "http://foo.com" );
archivaAdministration.setOrganisationInformation( newOrganisationInformation );
fail( "RepositoryAdminException expected. Bad URL content should not be allowed for logo location." );
}
catch ( RepositoryAdminException e )
{
// OK
}
}
@Test
public void badOrganisationInfoUrl( )
{
try
{
OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
newOrganisationInformation.setUrl( "'/><svg/onload=alert(/url_xss/)>" );
newOrganisationInformation.setName( "foo org" );
newOrganisationInformation.setLogoLocation( "http://foo.com/bar.png" );
archivaAdministration.setOrganisationInformation( newOrganisationInformation );
fail( "RepositoryAdminException expected. Bad URL content should not be allowed for logo location." );
}
catch ( RepositoryAdminException e )
{
// OK
}
}
@Test @Test
public void uiConfiguration() public void uiConfiguration()
throws Exception throws Exception