1 package org.apache.archiva.web.test;
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
22 import org.apache.archiva.web.test.parent.AbstractArchivaTest;
23 import org.testng.annotations.Test;
26 * Test all actions affected with XSS security issue.
28 @Test( groups = { "xss" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
29 public class XSSSecurityTest
30 extends AbstractArchivaTest
32 public void testDeleteArtifactImmunityToURLCrossSiteScripting()
35 "/archiva/deleteArtifact!doDelete.action?groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&repositoryId=\"/>1<script>alert('xss')</script>" );
36 assertDeleteArtifactPage();
37 assertTextPresent( "Invalid version." );
39 "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
41 "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
43 "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
45 "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
46 assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
47 assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
48 assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
49 assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
52 public void testDeleteArtifactImmunityToEncodedURLCrossSiteScripting()
55 "/archiva/deleteArtifact!doDelete.action?groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&repositoryId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
56 assertDeleteArtifactPage();
57 assertTextPresent( "Invalid version." );
59 "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
61 "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
63 "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
65 "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
66 assertElementValue( "//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>" );
67 assertElementValue( "//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>" );
68 assertElementValue( "//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>" );
69 assertElementValue( "//select[@id='deleteArtifact_repositoryId']", "internal" );
72 public void testEditAppearanceImmunityToURLCrossSiteScripting()
75 "/archiva/admin/configureAppearance.action?organisationName=<script>alert('xss')</script>&organisationUrl=<script>alert('xss')</script>&organisationLogo=<script>alert('xss')</script>" );
76 assertAppearancePage();
77 assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
78 assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
82 public void testEditAppearanceImmunityToEncodedURLCrossSiteScripting()
85 "/archiva/admin/configureAppearance.action?organisationName=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationUrl=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationLogo=%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
86 assertAppearancePage();
87 assertXpathCount( "//td[text()=\"<script>alert('xss')</script>\"]", 1 );
88 assertXpathCount( "//code[text()=\"<script>alert('xss')</script>\"]", 2 );
91 public void testAddLegacyArtifactImmunityToURLCrossSiteScripting()
94 "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=\"/>1<script>alert('xss')</script>&groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&classifier=\"/>1<script>alert('xss')</script>&type=\"/>1<script>alert('xss')</script>" );
95 assertAddLegacyArtifactPathPage();
97 "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
99 "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
101 "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
103 "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
105 "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
106 assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
107 assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
108 "\"/>1<script>alert('xss')</script>" );
109 assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
110 assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
111 assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
112 assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
113 assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
116 public void testAddLegacyArtifactImmunityToEncodedURLCrossSiteScripting()
119 "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&classifier=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&type=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
120 assertAddLegacyArtifactPathPage();
122 "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
124 "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
126 "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
128 "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
130 "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
131 assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
132 assertElementValue( "//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']",
133 "\"/>1<script>alert('xss')</script>" );
134 assertElementValue( "//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>" );
135 assertElementValue( "//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>" );
136 assertElementValue( "//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>" );
137 assertElementValue( "//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>" );
138 assertElementValue( "//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>" );
141 public void testDeleteNetworkProxyImmunityToURLCrossSiteScripting()
144 "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=\"/>1<script>alert('xss')</script>" );
145 assertTextPresent( "Security Alert - Invalid Token Found" );
146 assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
149 public void testDeleteNetworkProxyImmunityToEncodedURLCrossSiteScripting()
152 "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E" );
153 assertTextPresent( "Security Alert - Invalid Token Found" );
154 assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
157 public void testAddManagedRepositoryImmunityToInputFieldCrossSiteScripting()
159 goToRepositoriesPage();
160 getSelenium().open( "/archiva/admin/addRepository.action" );
161 addManagedRepository( "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
162 "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>",
163 "Maven 2.x Repository", "", "-1", "101", true );
164 // xss inputs are blocked by validation.
166 "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
168 "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
170 "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
172 "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
173 assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100." );
174 assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0." );
175 assertTextPresent( "Invalid cron expression." );
178 public void testEditAppearanceImmunityToInputFieldCrossSiteScripting()
180 goToAppearancePage();
181 clickLinkWithText( "Edit" );
182 addEditAppearance( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
183 "test<script>alert('xss')</script>", false );
184 // xss inputs are blocked by validation.
186 "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
187 assertTextPresent( "You must enter a URL" );
188 assertXpathCount( "//span[@class='errorMessage'/text()='You must enter a URL']", 2 );
191 public void testEditAppearanceImmunityToCrossSiteScriptingRendering()
193 goToAppearancePage();
194 clickLinkWithText( "Edit" );
195 addEditAppearance( "xss", "http://\">test<script>alert(\"xss\")</script>",
196 "http://\">test<script>alert(\"xss\")</script>", false );
197 // escaped html/url prevents cross-site scripting exploits
198 assertXpathCount( "//td[text()=\"xss\"]", 1 );
199 assertXpathCount( "//code[text()='http://\">test<script>alert(\"xss\")</script>']", 2 );
202 public void testAddLegacyArtifactPathImmunityToInputFieldCrossSiteScripting()
204 goToLegacySupportPage();
205 clickLinkWithText( "Add" );
206 addLegacyArtifactPath( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
207 "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
208 "test<script>alert('xss')</script>", "test<script>alert('xss')</script>" );
209 // xss inputs are blocked by validation.
211 "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
213 "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
215 "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
217 "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
219 "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
220 assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
223 public void testAddNetworkProxyImmunityToInputFieldCrossSiteScripting()
225 goToNetworkProxiesPage();
226 addNetworkProxy( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
227 "test<script>alert('xss')</script>", "test<script>alert('xss')</script>",
228 "test<script>alert('xss')</script>", "" );
229 // xss inputs are blocked by validation.
231 "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
233 "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
235 "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
236 assertTextPresent( "Invalid field value for field \"proxy.port\"." );
238 "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );