source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.web.test;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *   http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import org.apache.archiva.web.test.parent.AbstractArchivaTest;
  23 import org.testng.annotations.Test;
  24
  25 /**
  26  * Test all actions affected with XSS security issue.
  27  */
  28 @Test( groups = { "xss" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
  29 public class XSSSecurityTest
  30     extends AbstractArchivaTest
  31 {
  32     public void testDeleteArtifactImmunityToURLCrossSiteScripting()
  33     {
  34         getSelenium().open(
  35             "/archiva/deleteArtifact!doDelete.action?groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&repositoryId=\"/>1<script>alert('xss')</script>" );
  36         assertDeleteArtifactPage();
  37         assertTextPresent( "Invalid version." );
  38         assertTextPresent(
  39             "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
  40         assertTextPresent(
  41             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
  42         assertTextPresent(
  43             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
  44         assertTextPresent(
  45             "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
  46         assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
  47         assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
  48         assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
  49         assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
  50     }
  51
  52     public void testDeleteArtifactImmunityToEncodedURLCrossSiteScripting()
  53     {
  54         getSelenium().open(
  55             "/archiva/deleteArtifact!doDelete.action?groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&repositoryId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
  56         assertDeleteArtifactPage();
  57         assertTextPresent( "Invalid version." );
  58         assertTextPresent(
  59             "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
  60         assertTextPresent(
  61             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
  62         assertTextPresent(
  63             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
  64         assertTextPresent(
  65             "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
  66         assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
  67         assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
  68         assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
  69         assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
  70     }
  71
  72     public void testEditAppearanceImmunityToURLCrossSiteScripting()
  73     {
  74         getSelenium().open(
  75             "/archiva/admin/configureAppearance.action?organisationName=<script>alert('xss')</script>&organisationUrl=<script>alert('xss')</script>&organisationLogo=<script>alert('xss')</script>" );
  76         assertAppearancePage();
  77         assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
  78         assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
  79
  80     }
  81
  82     public void testEditAppearanceImmunityToEncodedURLCrossSiteScripting()
  83     {
  84         getSelenium().open(
  85             "/archiva/admin/configureAppearance.action?organisationName=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationUrl=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationLogo=%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
  86         assertAppearancePage();
  87         assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
  88         assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
  89     }
  90
  91     public void testAddLegacyArtifactImmunityToURLCrossSiteScripting()
  92     {
  93         getSelenium().open(
  94             "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=\"/>1<script>alert('xss')</script>&groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&classifier=\"/>1<script>alert('xss')</script>&type=\"/>1<script>alert('xss')</script>" );
  95         assertAddLegacyArtifactPathPage();
  96         assertTextPresent(
  97             "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
  98         assertTextPresent(
  99             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 100         assertTextPresent(
 101             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 102         assertTextPresent(
 103             "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 104         assertTextPresent(
 105             "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 106         assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 107         assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
 108                             "\"/>1<script>alert('xss')</script>" );
 109         assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
 110         assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
 111         assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
 112         assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
 113         assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
 114     }
 115
 116     public void testAddLegacyArtifactImmunityToEncodedURLCrossSiteScripting()
 117     {
 118         getSelenium().open(
 119             "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&classifier=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&type=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
 120         assertAddLegacyArtifactPathPage();
 121         assertTextPresent(
 122             "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
 123         assertTextPresent(
 124             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 125         assertTextPresent(
 126             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 127         assertTextPresent(
 128             "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 129         assertTextPresent(
 130             "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 131         assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 132         assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
 133                             "\"/>1<script>alert('xss')</script>" );
 134         assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
 135         assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
 136         assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
 137         assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
 138         assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
 139     }
 140
 141     public void testDeleteNetworkProxyImmunityToURLCrossSiteScripting()
 142     {
 143         getSelenium().open(
 144             "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=\"/>1<script>alert('xss')</script>" );
 145         assertTextPresent( "Security Alert - Invalid Token Found" );
 146         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
 147     }
 148
 149     public void testDeleteNetworkProxyImmunityToEncodedURLCrossSiteScripting()
 150     {
 151         getSelenium().open(
 152             "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
 153         assertTextPresent( "Security Alert - Invalid Token Found" );
 154         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
 155     }
 156
 157     @Test
 158     public void testAddManagedRepositoryImmunityToInputFieldCrossSiteScripting()
 159     {
 160         // TODO: these are evaluated client side now - we should force it to do server-side to make sure (though this could probably be tested in the webapp tests instead)
 161         getSelenium().open( "/archiva/admin/addRepository.action" );
 162         addManagedRepository( "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
 163                               "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
 164                               "Maven 2.x Repository", "", "-1", "101", false );
 165         // xss inputs are blocked by validation.
 166         assertTextPresent(
 167             "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 168         assertTextPresent(
 169             "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
 170         assertTextPresent(
 171             "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
 172         assertTextPresent(
 173             "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
 174         assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100." );
 175         assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0." );
 176         assertTextPresent( "Cron expression is required." );
 177     }
 178
 179     @Test
 180     public void testAddManagedRepositoryImmunityToInputFieldCrossSiteScriptingCron()
 181     {
 182         // separate test because cron is evaluated server side, not client side
 183         getSelenium().open( "/archiva/admin/addRepository.action" );
 184         addManagedRepository( "id", "name", "/home", "/.index", "Maven 2.x Repository",
 185                               "<test\"><script>alert('xss')</script>", "1", "1", true );
 186         assertTextPresent( "Invalid cron expression." );
 187     }
 188
 189     public void testEditAppearanceImmunityToInputFieldCrossSiteScripting()
 190     {
 191         goToAppearancePage();
 192         clickLinkWithText( "Edit" );
 193         addEditAppearance( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
 194                            "test<script>alert('xss')</script>", false );
 195         // xss inputs are blocked by validation.
 196         assertTextPresent(
 197             "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
 198         assertTextPresent( "You must enter a URL." );
 199         assertTextPresent( "You must enter a URL for your logo." );
 200     }
 201
 202     public void testEditAppearanceImmunityToCrossSiteScriptingRendering()
 203     {
 204         goToAppearancePage();
 205         clickLinkWithText( "Edit" );
 206         addEditAppearance( "xss", "http://\">test<script>alert(\"xss\")</script>",
 207                            "http://\">test<script>alert(\"xss\")</script>", false );
 208         // escaped html/url prevents cross-site scripting exploits
 209 //        assertXpathCount( "//td[text()=\"xss\"]", 1 );
 210 //        assertXpathCount( "//code[text()='http://\">test<script>alert(\"xss\")</script>']", 2 );
 211         // Javascript catches this instead now
 212         assertTextPresent( "You must enter a URL." );
 213         assertTextPresent( "You must enter a URL for your logo." );
 214     }
 215
 216     public void testAddLegacyArtifactPathImmunityToInputFieldCrossSiteScripting()
 217     {
 218         goToLegacySupportPage();
 219         clickLinkWithText( "Add" );
 220         addLegacyArtifactPath( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
 221                                "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
 222                                "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", false );
 223         // xss inputs are blocked by validation.
 224         assertTextPresent(
 225             "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
 226         assertTextPresent(
 227             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 228         assertTextPresent(
 229             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 230         assertTextPresent(
 231             "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 232         assertTextPresent(
 233             "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 234         assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 235     }
 236
 237     public void testAddNetworkProxyImmunityToInputFieldCrossSiteScripting()
 238     {
 239         goToNetworkProxiesPage();
 240         addNetworkProxy( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
 241                          "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
 242                          "test<script>alert('xss')</script>", "" );
 243         // xss inputs are blocked by validation.
 244         assertTextPresent(
 245             "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
 246         assertTextPresent(
 247             "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
 248         assertTextPresent(
 249             "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
 250         assertTextPresent( "Invalid field value for field \"proxy.port\"." );
 251         assertTextPresent(
 252             "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
 253     }
 254 }