[MRM-1468] added validation for adding a managed repository via xmlrpc + unit tests

author Maria Odea B. Ching <oching@apache.org>

Mon, 9 May 2011 11:00:12 +0000 (11:00 +0000)

committer Maria Odea B. Ching <oching@apache.org>

Mon, 9 May 2011 11:00:12 +0000 (11:00 +0000)
author Maria Odea B. Ching <oching@apache.org>
Mon, 9 May 2011 11:00:12 +0000 (11:00 +0000)
committer Maria Odea B. Ching <oching@apache.org>
Mon, 9 May 2011 11:00:12 +0000 (11:00 +0000)
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml

index b4fb8a213e9f92fd89a3637ced3909250e25dd92..f59b10550352a74686a08dc6ef97456827b495c3 100644 (file)
--- a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
@@ -75,6 +75,10 @@
        <groupId>org.apache.archiva</groupId>
        <artifactId>maven2-repository</artifactId>
      </dependency>
+    <dependency>
+      <groupId>commons-validator</groupId>
+      <artifactId>commons-validator</artifactId>
+    </dependency>
      <dependency>
        <groupId>org.codehaus.redback</groupId>
        <artifactId>plexus-spring</artifactId>
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java

index 6ba6fc1748c56ac56f27942dcc85107427ef8b6e..e267879525c61068bc4a4deecb4e921beb0fde6a 100644 (file)
--- a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
@@ -38,6 +38,7 @@ import org.apache.archiva.web.xmlrpc.api.beans.ManagedRepository;
  import org.apache.archiva.web.xmlrpc.api.beans.RemoteRepository;
  import org.apache.commons.io.FileUtils;
  import org.apache.commons.lang.StringUtils;
+import org.apache.commons.validator.GenericValidator;
  import org.apache.maven.archiva.configuration.ArchivaConfiguration;
  import org.apache.maven.archiva.configuration.Configuration;
  import org.apache.maven.archiva.configuration.IndeterminateConfigurationException;
@@ -99,6 +100,12 @@ public class AdministrationServiceImpl
  
      private Registry registry;
  
+    private static final String REPOSITORY_ID_VALID_EXPRESSION = "^[a-zA-Z0-9._-]+$";
+
+    private static final String REPOSITORY_NAME_VALID_EXPRESSION = "^([a-zA-Z0-9.)/_(-]|\\s)+$";
+
+    private static final String REPOSITORY_LOCATION_VALID_EXPRESSION = "^[-a-zA-Z0-9._/~:?!&amp;=\\\\]+$";
+
      public AdministrationServiceImpl( ArchivaConfiguration archivaConfig, RepositoryContentConsumers repoConsumersUtil,
                                        RepositoryContentFactory repoFactory,
                                        RepositorySessionFactory repositorySessionFactory,
@@ -387,6 +394,25 @@ public class AdministrationServiceImpl
              throw new Exception( "Invalid cron expression." );
          }
  
+        if( !GenericValidator.matchRegexp( repoId, REPOSITORY_ID_VALID_EXPRESSION ) )
+        {
+            throw new Exception( "Invalid repository ID. Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+        }
+
+        if( !GenericValidator.matchRegexp( name, REPOSITORY_NAME_VALID_EXPRESSION ) )
+        {
+            throw new Exception( "Invalid repository name. Repository Name must only contain alphanumeric characters, white-spaces(' '), " +
+                "forward-slashes(/), open-parenthesis('('), close-parenthesis(')'),  underscores(_), dots(.), and dashes(-)." );
+        }
+
+        String repoLocation = removeExpressions( location );
+
+        if( !GenericValidator.matchRegexp( repoLocation, REPOSITORY_LOCATION_VALID_EXPRESSION ) )
+        {
+            throw new Exception( "Invalid repository location. Directory must only contain alphanumeric characters, equals(=), question-marks(?), " +
+                "exclamation-points(!), ampersands(&amp;), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+        }
+
          ManagedRepositoryConfiguration repository = new ManagedRepositoryConfiguration();
  
          repository.setId( repoId );
@@ -394,7 +420,7 @@ public class AdministrationServiceImpl
          repository.setReleases( releasesIncluded );
          repository.setSnapshots( snapshotsIncluded );
          repository.setName( name );
-        repository.setLocation( removeExpressions( location ) );
+        repository.setLocation( repoLocation );
          repository.setLayout( layout );
          repository.setRefreshCronExpression( cronExpression );
  
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java

index c75bb97ba925ee6a9c6879f077bc7053fe63cdaa..13fa091d0a1671c658309e653c86fda86838ea4f 100644 (file)
--- a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
@@ -953,6 +953,146 @@ public class AdministrationServiceImplTest
          registryControl.verify();
      }
  
+    public void testAddManagedRepositoryInvalidId()
+        throws Exception
+    {
+        String projId = "org.apache.archiva";
+        String repoId = projId + "<script>alert('xss')</script>";
+        String layout = "default";
+        String name = projId + " Releases";
+
+        ManagedRepositoryConfiguration managedRepo = createManagedRepo( "repo1", "default", "repo", true, false );
+        RemoteRepositoryConfiguration remoteRepo = createRemoteRepository( "central", "Central Repository", "default",
+                                                                           "http://repo1.maven.org/maven2" );
+        List<String> repositories = new ArrayList<String>();
+        repositories.add( managedRepo.getName() );
+        RepositoryGroupConfiguration repoGroup = createRepoGroupConfig( "repoGroup", repositories );
+        Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+            new HashMap<String, ManagedRepositoryConfiguration>();
+        Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new HashMap<String, RemoteRepositoryConfiguration>();
+        Map<String, RepositoryGroupConfiguration> repoGroupMap = new HashMap<String, RepositoryGroupConfiguration>();
+        managedRepoMap.put( "repo1", managedRepo );
+        remoteRepoMap.put( "repo1", remoteRepo );
+        repoGroupMap.put( "repo1", repoGroup );
+
+        archivaConfigControl.expectAndReturn( archivaConfig.getConfiguration(), config );
+
+        configControl.expectAndReturn( config.getManagedRepositoriesAsMap(), managedRepoMap );
+        configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(), remoteRepoMap );
+        configControl.expectAndReturn( config.getRepositoryGroupsAsMap(), repoGroupMap );
+
+        archivaConfigControl.replay();
+        configControl.replay();
+
+        try
+        {
+            service.addManagedRepository( repoId, layout, name, "${appserver.base}/test-repository/" + projId + ".releases", true, true, false, true,
+                                                        "0 15 3 * * ? *" );
+            fail( "An exception should have been thrown! Repository ID is not valid." );
+        }
+        catch( Exception e )
+        {
+            assertEquals( "Invalid repository ID. Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).",
+                          e.getMessage() );    
+        }
+    }
+
+    public void testAddManagedRepositoryInvalidName()
+        throws Exception
+    {
+        String projId = "org.apache.archiva";
+        String repoId = projId + ".releases";
+        String layout = "default";
+        String name = projId + " <script>alert('xss')</script>";
+
+        ManagedRepositoryConfiguration managedRepo = createManagedRepo( "repo1", "default", "repo", true, false );
+        RemoteRepositoryConfiguration remoteRepo = createRemoteRepository( "central", "Central Repository", "default",
+                                                                           "http://repo1.maven.org/maven2" );
+        List<String> repositories = new ArrayList<String>();
+        repositories.add( managedRepo.getName() );
+        RepositoryGroupConfiguration repoGroup = createRepoGroupConfig( "repoGroup", repositories );
+        Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+            new HashMap<String, ManagedRepositoryConfiguration>();
+        Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new HashMap<String, RemoteRepositoryConfiguration>();
+        Map<String, RepositoryGroupConfiguration> repoGroupMap = new HashMap<String, RepositoryGroupConfiguration>();
+        managedRepoMap.put( "repo1", managedRepo );
+        remoteRepoMap.put( "repo1", remoteRepo );
+        repoGroupMap.put( "repo1", repoGroup );
+
+        archivaConfigControl.expectAndReturn( archivaConfig.getConfiguration(), config );
+
+        configControl.expectAndReturn( config.getManagedRepositoriesAsMap(), managedRepoMap );
+        configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(), remoteRepoMap );
+        configControl.expectAndReturn( config.getRepositoryGroupsAsMap(), repoGroupMap );
+
+        archivaConfigControl.replay();
+        configControl.replay();
+
+        try
+        {
+            service.addManagedRepository( repoId, layout, name, "${appserver.base}/test-repository/" + projId + ".releases", true, true, false, true,
+                                                        "0 15 3 * * ? *" );
+            fail( "An exception should have been thrown! Repository name is not valid." );
+        }
+        catch( Exception e )
+        {
+            assertEquals( "Invalid repository name. Repository Name must only contain alphanumeric characters, white-spaces(' '), " +
+                "forward-slashes(/), open-parenthesis('('), close-parenthesis(')'),  underscores(_), dots(.), and dashes(-).",
+                          e.getMessage() );
+        }
+    }
+
+    public void testAddManagedRepositoryInvalidLocation()
+        throws Exception
+    {
+        String projId = "org.apache.archiva";
+        String repoId = projId + ".releases";
+        String layout = "default";
+        String name = projId + " Releases";
+        String appserverBase = "target";
+
+        ManagedRepositoryConfiguration managedRepo = createManagedRepo( "repo1", "default", "repo", true, false );
+        RemoteRepositoryConfiguration remoteRepo = createRemoteRepository( "central", "Central Repository", "default",
+                                                                           "http://repo1.maven.org/maven2" );
+        List<String> repositories = new ArrayList<String>();
+        repositories.add( managedRepo.getName() );
+        RepositoryGroupConfiguration repoGroup = createRepoGroupConfig( "repoGroup", repositories );
+        Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+            new HashMap<String, ManagedRepositoryConfiguration>();
+        Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new HashMap<String, RemoteRepositoryConfiguration>();
+        Map<String, RepositoryGroupConfiguration> repoGroupMap = new HashMap<String, RepositoryGroupConfiguration>();
+        managedRepoMap.put( "repo1", managedRepo );
+        remoteRepoMap.put( "repo1", remoteRepo );
+        repoGroupMap.put( "repo1", repoGroup );
+
+        archivaConfigControl.expectAndReturn( archivaConfig.getConfiguration(), config );
+
+        configControl.expectAndReturn( config.getManagedRepositoriesAsMap(), managedRepoMap );
+        configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(), remoteRepoMap );
+        configControl.expectAndReturn( config.getRepositoryGroupsAsMap(), repoGroupMap );
+        registryControl.expectAndReturn( registry.getString( "appserver.base", "${appserver.base}" ), appserverBase );
+        registryControl.expectAndReturn( registry.getString( "appserver.home", "${appserver.home}" ), appserverBase );
+
+        archivaConfigControl.replay();
+        configControl.replay();
+        registryControl.replay();
+
+        try
+        {
+            service.addManagedRepository( repoId, layout, name, "${appserver.base}/<script>alert('xss')</script>" + projId + ".releases", true, true, false, true,
+                                                        "0 15 3 * * ? *" );
+            fail( "An exception should have been thrown! Repository location is not valid." );
+        }
+        catch( Exception e )
+        {
+            assertEquals( "Invalid repository location. Directory must only contain alphanumeric characters, equals(=), question-marks(?), " +
+                "exclamation-points(!), ampersands(&amp;), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-).",
+                          e.getMessage() );
+        }
+
+        registryControl.verify();
+    }
+
      /* private methods */
  
      private void assertRemoteRepo( RemoteRepository remoteRepo, RemoteRepositoryConfiguration expectedRepoConfig )
diff --git a/pom.xml b/pom.xml

index c151bc6883390de38f57e06042c502c9e6cb8e3b..04661f2b1c915972cb4aa4a5c072d7ed6e27a10d 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -1055,6 +1055,17 @@
          <artifactId>atlassian-xmlrpc-binder</artifactId>
          <version>${binder.version}</version>
        </dependency>
+      <dependency>
+        <groupId>commons-validator</groupId>
+        <artifactId>commons-validator</artifactId>
+        <version>1.3.1</version>
+        <exclusions>
+          <exclusion>
+            <groupId>commons-logging</groupId>
+            <artifactId>commons-logging</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
        <dependency>
          <groupId>com.atlassian.xmlrpc</groupId>
          <artifactId>atlassian-xmlrpc-binder-testing</artifactId>
author	Maria Odea B. Ching <oching@apache.org>
	Mon, 9 May 2011 11:00:12 +0000 (11:00 +0000)
committer	Maria Odea B. Ching <oching@apache.org>
	Mon, 9 May 2011 11:00:12 +0000 (11:00 +0000)
archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml		patch \| blob \| history
archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java		patch \| blob \| history
archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java		patch \| blob \| history
pom.xml		patch \| blob \| history