Improve bad request handling in branch graph, zip, & syndication servlets

diff --git a/src/main/java/com/gitblit/servlet/AccessRestrictionFilter.java b/src/main/java/com/gitblit/servlet/AccessRestrictionFilter.java
index 0e6d323d0762cc2e7ced65852914bbe482f6a0a4..7f69119629f0fa1ee6d5fe58d699685fa32f1c1d 100644 (file)
--- a/src/main/java/com/gitblit/servlet/AccessRestrictionFilter.java
+++ b/src/main/java/com/gitblit/servlet/AccessRestrictionFilter.java
@@ -141,6 +141,10 @@ public abstract class AccessRestrictionFilter extends AuthenticationFilter {
 \r
                String fullUrl = getFullUrl(httpRequest);\r
                String repository = extractRepositoryName(fullUrl);\r
+               if (StringUtils.isEmpty(repository)) {\r
+                       httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);\r
+                       return;\r
+               }\r
 \r
                if (repositoryManager.isCollectingGarbage(repository)) {\r
                        logger.info(MessageFormat.format("ARF: Rejecting request for {0}, busy collecting garbage!", repository));\r

diff --git a/src/main/java/com/gitblit/servlet/BranchGraphServlet.java b/src/main/java/com/gitblit/servlet/BranchGraphServlet.java
index 0abe347faa85ae16932ff0322ddd1039435ee095..fa2152c67a73ec715edb7b3e2df03444e36ceb05 100644 (file)
--- a/src/main/java/com/gitblit/servlet/BranchGraphServlet.java
+++ b/src/main/java/com/gitblit/servlet/BranchGraphServlet.java
@@ -40,6 +40,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;\r
 import javax.servlet.http.HttpServletResponse;\r
 \r
+import org.eclipse.jgit.lib.ObjectId;\r
 import org.eclipse.jgit.lib.Ref;\r
 import org.eclipse.jgit.lib.Repository;\r
 import org.eclipse.jgit.revplot.AbstractPlotRenderer;\r
@@ -48,6 +49,8 @@ import org.eclipse.jgit.revplot.PlotCommitList;
 import org.eclipse.jgit.revplot.PlotLane;\r
 import org.eclipse.jgit.revplot.PlotWalk;\r
 import org.eclipse.jgit.revwalk.RevCommit;\r
+import org.slf4j.Logger;\r
+import org.slf4j.LoggerFactory;\r
 \r
 import com.gitblit.Constants;\r
 import com.gitblit.IStoredSettings;\r
@@ -76,6 +79,8 @@ public class BranchGraphServlet extends DaggerServlet {
 \r
        private static final int RIGHT_PAD = 2;\r
 \r
+       private final Logger log = LoggerFactory.getLogger(getClass());\r
+\r
        private final Stroke[] strokeCache;\r
 \r
        private IStoredSettings settings;\r
@@ -117,6 +122,9 @@ public class BranchGraphServlet extends DaggerServlet {
        @Override\r
        protected long getLastModified(HttpServletRequest req) {\r
                String repository = req.getParameter("r");\r
+               if (StringUtils.isEmpty(repository)) {\r
+                       return 0;\r
+               }\r
                String objectId = req.getParameter("h");\r
                Repository r = null;\r
                try {\r
@@ -124,8 +132,15 @@ public class BranchGraphServlet extends DaggerServlet {
                        if (StringUtils.isEmpty(objectId)) {\r
                                objectId = JGitUtils.getHEADRef(r);\r
                        }\r
+                       ObjectId id = r.resolve(objectId);\r
+                       if (id == null) {\r
+                               return 0;\r
+                       }\r
                        RevCommit commit = JGitUtils.getCommit(r, objectId);\r
                        return JGitUtils.getCommitDate(commit).getTime();\r
+               } catch (Exception e) {\r
+                       log.error("Failed to determine last modified", e);\r
+                       return 0;\r
                } finally {\r
                        if (r != null) {\r
                                r.close();\r
@@ -141,17 +156,33 @@ public class BranchGraphServlet extends DaggerServlet {
                PlotWalk rw = null;\r
                try {\r
                        String repository = request.getParameter("r");\r
+                       if (StringUtils.isEmpty(repository)) {\r
+                               response.setStatus(HttpServletResponse.SC_BAD_REQUEST);\r
+                               response.getWriter().append("Bad request");\r
+                               return;\r
+                       }\r
                        String objectId = request.getParameter("h");\r
                        String length = request.getParameter("l");\r
 \r
                        r = repositoryManager.getRepository(repository);\r
+                       if (r == null) {\r
+                               response.setStatus(HttpServletResponse.SC_BAD_REQUEST);\r
+                               response.getWriter().append("Bad request");\r
+                               return;\r
+                       }\r
 \r
                        rw = new PlotWalk(r);\r
                        if (StringUtils.isEmpty(objectId)) {\r
                                objectId = JGitUtils.getHEADRef(r);\r
                        }\r
 \r
-                       rw.markStart(rw.lookupCommit(r.resolve(objectId)));\r
+                       ObjectId id = r.resolve(objectId);\r
+                       if (id ==  null) {\r
+                               response.setStatus(HttpServletResponse.SC_BAD_REQUEST);\r
+                               response.getWriter().append("Bad request");\r
+                               return;\r
+                       }\r
+                       rw.markStart(rw.lookupCommit(id));\r
 \r
                        // default to the items-per-page setting, unless specified\r
                        int maxCommits = settings.getInteger(Keys.web.itemsPerPage, 50);\r

diff --git a/src/main/java/com/gitblit/servlet/DownloadZipFilter.java b/src/main/java/com/gitblit/servlet/DownloadZipFilter.java
index 0c7b3e56198fb8cbff87dee3ab28834f102ce438..42257a23f118ecae96207b26c8abb1fafbc57d4f 100644 (file)
--- a/src/main/java/com/gitblit/servlet/DownloadZipFilter.java
+++ b/src/main/java/com/gitblit/servlet/DownloadZipFilter.java
@@ -38,11 +38,14 @@ public class DownloadZipFilter extends AccessRestrictionFilter {
        @Override\r
        protected String extractRepositoryName(String url) {\r
                int a = url.indexOf("r=");\r
-               String repository = url.substring(a + 2);\r
-               if (repository.indexOf('&') > -1) {\r
-                       repository = repository.substring(0, repository.indexOf('&'));\r
+               if (a > -1) {\r
+                       String repository = url.substring(a + 2);\r
+                       if (repository.indexOf('&') > -1) {\r
+                               repository = repository.substring(0, repository.indexOf('&'));\r
+                       }\r
+                       return repository;\r
                }\r
-               return repository;\r
+               return null;\r
        }\r
 \r
        /**\r

diff --git a/src/main/java/com/gitblit/servlet/SyndicationServlet.java b/src/main/java/com/gitblit/servlet/SyndicationServlet.java
index 631df781584109ef5322e20013eecd404c63fa8b..e3c25967e3e0fcf465eba050e2ea9e569e7d85f2 100644 (file)
--- a/src/main/java/com/gitblit/servlet/SyndicationServlet.java
+++ b/src/main/java/com/gitblit/servlet/SyndicationServlet.java
@@ -148,7 +148,7 @@ public class SyndicationServlet extends DaggerServlet {
 \r
                String servletUrl = request.getContextPath() + request.getServletPath();\r
                String url = request.getRequestURI().substring(servletUrl.length());\r
-               if (url.charAt(0) == '/' && url.length() > 1) {\r
+               if (url.length() > 1 && url.charAt(0) == '/') {\r
                        url = url.substring(1);\r
                }\r
                String repositoryName = url;\r
@@ -193,7 +193,7 @@ public class SyndicationServlet extends DaggerServlet {
                response.setContentType("application/rss+xml; charset=UTF-8");\r
 \r
                boolean isProjectFeed = false;\r
-               String feedName = null;\r
+               String feedName = "Gitblit";\r
                String feedTitle = null;\r
                String feedDescription = null;\r
 \r
@@ -237,7 +237,7 @@ public class SyndicationServlet extends DaggerServlet {
                        RepositoryModel model = repositoryManager.getRepositoryModel(name);\r
 \r
                        if (repository == null) {\r
-                               if (model.isCollectingGarbage) {\r
+                               if (model != null && model.isCollectingGarbage) {\r
                                        logger.warn(MessageFormat.format("Temporarily excluding {0} from feed, busy collecting garbage", name));\r
                                }\r
                                continue;\r

diff --git a/src/main/java/com/gitblit/utils/SyndicationUtils.java b/src/main/java/com/gitblit/utils/SyndicationUtils.java
index 93e9321aff12e7fefbe45945f9d3597e62bab2ec..7afd038392daf407d179604c193b41058a56c8a7 100644 (file)
--- a/src/main/java/com/gitblit/utils/SyndicationUtils.java
+++ b/src/main/java/com/gitblit/utils/SyndicationUtils.java
@@ -71,7 +71,11 @@ public class SyndicationUtils {
                feed.setEncoding("UTF-8");\r
                feed.setTitle(title);\r
                feed.setLink(feedLink);\r
-               feed.setDescription(description);\r
+               if (StringUtils.isEmpty(description)) {\r
+                       feed.setDescription(title);\r
+               } else {\r
+                       feed.setDescription(description);\r
+               }\r
                SyndImageImpl image = new SyndImageImpl();\r
                image.setTitle(Constants.NAME);\r
                image.setUrl(hostUrl + "/gitblt_25.png");\r