]> source.dussan.org Git - archiva.git/blob
15e799e9a7d3960b68ec68c9852caf9e219fe8ae
[archiva.git] /
1 package org.apache.archiva.web.test;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  *   http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import org.apache.archiva.web.test.parent.AbstractArchivaTest;
23 import org.testng.annotations.Test;
24
25 /**
26  * Test all actions affected with XSS security issue.
27  */
28 @Test( groups = { "xss" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
29 public class XSSSecurityTest
30     extends AbstractArchivaTest
31 {
32     public void testDeleteArtifactImmunityToURLCrossSiteScripting()
33     {
34         getSelenium().open(
35             "/archiva/deleteArtifact!doDelete.action?groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&repositoryId=\"/>1<script>alert('xss')</script>" );
36         assertDeleteArtifactPage();
37         assertTextPresent( "Invalid version." );
38         assertTextPresent(
39             "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
40         assertTextPresent(
41             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
42         assertTextPresent(
43             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
44         assertTextPresent(
45             "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
46         assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
47         assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
48         assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
49         assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
50     }
51
52     public void testDeleteArtifactImmunityToEncodedURLCrossSiteScripting()
53     {
54         getSelenium().open(
55             "/archiva/deleteArtifact!doDelete.action?groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&repositoryId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
56         assertDeleteArtifactPage();
57         assertTextPresent( "Invalid version." );
58         assertTextPresent(
59             "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
60         assertTextPresent(
61             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
62         assertTextPresent(
63             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
64         assertTextPresent(
65             "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
66         assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
67         assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
68         assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
69         assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
70     }
71
72     public void testEditAppearanceImmunityToURLCrossSiteScripting()
73     {
74         getSelenium().open(
75             "/archiva/admin/configureAppearance.action?organisationName=<script>alert('xss')</script>&organisationUrl=<script>alert('xss')</script>&organisationLogo=<script>alert('xss')</script>" );
76         assertAppearancePage();
77         assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
78         assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
79
80     }
81
82     public void testEditAppearanceImmunityToEncodedURLCrossSiteScripting()
83     {
84         getSelenium().open(
85             "/archiva/admin/configureAppearance.action?organisationName=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationUrl=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationLogo=%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
86         assertAppearancePage();
87         assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
88         assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
89     }
90
91     public void testAddLegacyArtifactImmunityToURLCrossSiteScripting()
92     {
93         getSelenium().open(
94             "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=\"/>1<script>alert('xss')</script>&groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&classifier=\"/>1<script>alert('xss')</script>&type=\"/>1<script>alert('xss')</script>" );
95         assertAddLegacyArtifactPathPage();
96         assertTextPresent(
97             "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
98         assertTextPresent(
99             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
100         assertTextPresent(
101             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
102         assertTextPresent(
103             "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
104         assertTextPresent(
105             "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
106         assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
107         assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
108                             "\"/>1<script>alert('xss')</script>" );
109         assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
110         assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
111         assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
112         assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
113         assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
114     }
115
116     public void testAddLegacyArtifactImmunityToEncodedURLCrossSiteScripting()
117     {
118         getSelenium().open(
119             "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&classifier=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&type=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
120         assertAddLegacyArtifactPathPage();
121         assertTextPresent(
122             "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
123         assertTextPresent(
124             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
125         assertTextPresent(
126             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
127         assertTextPresent(
128             "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
129         assertTextPresent(
130             "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
131         assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
132         assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
133                             "\"/>1<script>alert('xss')</script>" );
134         assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
135         assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
136         assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
137         assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
138         assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
139     }
140
141     public void testDeleteNetworkProxyImmunityToURLCrossSiteScripting()
142     {
143         getSelenium().open(
144             "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=\"/>1<script>alert('xss')</script>" );
145         assertTextPresent( "Security Alert - Invalid Token Found" );
146         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
147     }
148
149     public void testDeleteNetworkProxyImmunityToEncodedURLCrossSiteScripting()
150     {
151         getSelenium().open(
152             "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
153         assertTextPresent( "Security Alert - Invalid Token Found" );
154         assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
155     }
156
157     public void testAddManagedRepositoryImmunityToInputFieldCrossSiteScripting()
158     {
159         goToRepositoriesPage();
160         getSelenium().open( "/archiva/admin/addRepository.action" );
161         addManagedRepository( "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
162                               "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
163                               "Maven 2.x Repository", "", "-1", "101", true );
164         // xss inputs are blocked by validation.
165         assertTextPresent(
166             "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
167         assertTextPresent(
168             "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
169         assertTextPresent(
170             "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
171         assertTextPresent(
172             "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
173         assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100." );
174         assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0." );
175         assertTextPresent( "Invalid cron expression." );
176     }
177
178     public void testEditAppearanceImmunityToInputFieldCrossSiteScripting()
179     {
180         goToAppearancePage();
181         clickLinkWithText( "Edit" );
182         addEditAppearance( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
183                            "test<script>alert('xss')</script>", false );
184         // xss inputs are blocked by validation.
185         assertTextPresent(
186             "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
187         assertTextPresent( "You must enter a URL" );
188         assertXpathCount( "//span[@class='errorMessage'/text()='You must enter a URL']", 2 );
189     }
190
191     public void testEditAppearanceImmunityToCrossSiteScriptingRendering()
192     {
193         goToAppearancePage();
194         clickLinkWithText( "Edit" );
195         addEditAppearance( "xss", "http://\">test<script>alert(\"xss\")</script>",
196                            "http://\">test<script>alert(\"xss\")</script>", false );
197         // escaped html/url prevents cross-site scripting exploits
198         assertXpathCount( "//td[text()=\"xss\"]", 1 );
199         assertXpathCount( "//code[text()='http://\">test<script>alert(\"xss\")</script>']", 2 );
200     }
201
202     public void testAddLegacyArtifactPathImmunityToInputFieldCrossSiteScripting()
203     {
204         goToLegacySupportPage();
205         clickLinkWithText( "Add" );
206         addLegacyArtifactPath( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
207                                "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
208                                "test<script>alert('xss')</script>", "test<script>alert('xss')</script>" );
209         // xss inputs are blocked by validation.
210         assertTextPresent(
211             "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
212         assertTextPresent(
213             "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
214         assertTextPresent(
215             "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
216         assertTextPresent(
217             "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
218         assertTextPresent(
219             "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
220         assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
221     }
222
223     public void testAddNetworkProxyImmunityToInputFieldCrossSiteScripting()
224     {
225         goToNetworkProxiesPage();
226         addNetworkProxy( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
227                          "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
228                          "test<script>alert('xss')</script>", "" );
229         // xss inputs are blocked by validation.
230         assertTextPresent(
231             "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
232         assertTextPresent(
233             "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
234         assertTextPresent(
235             "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
236         assertTextPresent( "Invalid field value for field \"proxy.port\"." );
237         assertTextPresent(
238             "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
239     }
240 }