From 58d905941b9522e830c6e13b3a850b5cc637679e Mon Sep 17 00:00:00 2001 From: Brett Porter Date: Tue, 12 Apr 2011 07:16:34 +0000 Subject: [PATCH] [MRM-1480]/[REDBACK-274] (CVE-2011-1026) o upgrade to redback 1.2.8-SNAPSHOT o configured struts2's token interceptor + use of in affected actions to prevent CSRF issue [MRM-1460] added selenium tests for CSRF fixes in affected pages Merged: r1066067:1091313 git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1091315 13f79535-47bb-0310-9956-ffa450edef68 --- archiva-docs/src/site/apt/release-notes.apt | 30 ++++ .../archiva/web/test/CSRFSecurityTest.java | 149 ++++++++++++++++++ .../src/main/resources/struts.xml | 55 +++++-- .../WEB-INF/jsp/admin/deleteNetworkProxy.jsp | 1 + .../jsp/admin/deleteProxyConnector.jsp | 1 + .../WEB-INF/jsp/admin/deleteRepository.jsp | 1 + .../jsp/admin/deleteRepositoryGroup.jsp | 1 + .../jsp/admin/disableProxyConnector.jsp | 1 + .../WEB-INF/jsp/admin/editNetworkProxy.jsp | 1 + .../WEB-INF/jsp/admin/legacyArtifactPath.jsp | 3 + .../WEB-INF/jsp/admin/networkProxies.jsp | 3 + .../WEB-INF/jsp/admin/proxyConnectors.jsp | 5 + .../webapp/WEB-INF/jsp/admin/repositories.jsp | 6 + .../WEB-INF/jsp/admin/repositoryGroups.jsp | 4 + .../WEB-INF/jsp/admin/repositoryScanning.jsp | 15 +- .../webapp/WEB-INF/jsp/deleteArtifact.jsp | 1 + pom.xml | 21 ++- 17 files changed, 279 insertions(+), 19 deletions(-) create mode 100644 archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java diff --git a/archiva-docs/src/site/apt/release-notes.apt b/archiva-docs/src/site/apt/release-notes.apt index 03784f274..e0fe6d570 100644 --- a/archiva-docs/src/site/apt/release-notes.apt +++ b/archiva-docs/src/site/apt/release-notes.apt @@ -19,6 +19,26 @@ Release Notes for Archiva 1.4 ~~TODO +* Compatibility Changes + + * If upgrading from versions of Archiva earlier than 1.2.2, the list of libraries + in <<>> has changed. If you have customized your copy of + <<>>, please update it for compatibility with the version distributed + with the current release. + +* Security Vulnerabilities + + * A CSRF security vulnerability (CVE-2010-3449) is present in 1.3.2 and earlier. + + * An XSS security vulnerability (CVE-2011-0533) is present in 1.3.3 and earlier. + + * Additional CSRF (CVE-2011-1026) and XSS security (CVE-2011-1077) vulnerabilities have been reported against 1.3.4 + and earlier versions. + + It is important that users using lower versions of Archiva upgrade to this version (or higher). + + See {{{http://archiva.apache.org/security.html} Archiva Security}} for more details. + * Release Notes The Archiva 1.4 feature set can be seen in the {{{tour/index.html} feature tour}}. @@ -29,6 +49,16 @@ Release Notes for Archiva 1.4 ~~TODO +Previous Releases + +* Changes in Archiva 1.3.5 + + Released: <<14 March 2011>> + +** Task + + * [MRM-1460] - Upgrade Archiva to Redback 1.2.7 + * Changes in Archiva 1.3.4 Released: <<9 February 2011>> diff --git a/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java b/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java new file mode 100644 index 000000000..3883605a8 --- /dev/null +++ b/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/CSRFSecurityTest.java @@ -0,0 +1,149 @@ +package org.apache.archiva.web.test; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import org.apache.archiva.web.test.parent.AbstractArchivaTest; +import org.testng.annotations.Test; + +/** + * Test all actions affected with CSRF security issue. + */ +@Test( groups = { "csrf" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true ) +public class CSRFSecurityTest + extends AbstractArchivaTest +{ + public void testCSRFDeleteRepository() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/deleteRepository.action?repoid=test&method%3AdeleteContents=Delete+Configuration+and+Contents" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFDeleteArtifact() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/deleteArtifact!doDelete.action?groupId=1&artifactId=1&version=1&repositoryId=snapshots" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFAddRepositoryGroup() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/addRepositoryGroup.action?repositoryGroup.id=csrfgrp" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFDeleteRepositoryGroup() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/deleteRepositoryGroup.action?repoGroupId=test&method%3Adelete=Confirm" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFDisableProxyConnector() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/disableProxyConnector!disable.action?target=maven2-repository.dev.java.net&source=internal" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFDeleteProxyConnector() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/deleteProxyConnector!delete.action?target=maven2-repository.dev.java.net&source=snapshots" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFDeleteLegacyArtifactPath() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/deleteLegacyArtifactPath.action?path=jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFSaveNetworkProxy() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/saveNetworkProxy.action?mode=add&proxy.id=ntwrk&proxy.protocol=http&" + + "proxy.host=test&proxy.port=8080&proxy.username=&proxy.password=" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFDeleteNetworkProxy() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/deleteNetworkProxy!delete.action?proxyid=myproxy" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFAddFileTypePattern() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/repositoryScanning!addFiletypePattern.action?pattern=**%2F*.rum&fileTypeId=artifacts" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFRemoveFileTypePattern() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/repositoryScanning!removeFiletypePattern.action?pattern=**%2F*.rum&fileTypeId=artifacts" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFUpdateKnownConsumers() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/repositoryScanning!updateKnownConsumers.action?enabledKnownContentConsumers=auto-remove&" + + "enabledKnownContentConsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksums&" + + "enabledKnownContentConsumers=index-content&enabledKnownContentConsumers=metadata-updater&" + + "enabledKnownContentConsumers=repository-purge&enabledKnownContentConsumers=update-db-artifact&" + + "enabledKnownContentConsumers=validate-checksums" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFUpdateUnprocessedConsumers() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/database!updateUnprocessedConsumers.action?enabledUnprocessedConsumers=update-db-project" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } + + public void testCSRFUpdateCleanupConsumers() + { + getSelenium().open( baseUrl ); + getSelenium().open( baseUrl + "/admin/database!updateCleanupConsumers.action?enabledCleanupConsumers=not-present-remove-db-artifact&" + + "enabledCleanupConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-present-remove-indexed" ); + assertTextPresent( "Security Alert - Invalid Token Found" ); + assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." ); + } +} diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml index 78e83d858..f4a003cb4 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml @@ -45,6 +45,9 @@ false + + * + input,back,cancel,browse @@ -62,6 +65,9 @@ false + + * + input,back,cancel,browse @@ -128,7 +134,8 @@ include a result for 'error' --> /WEB-INF/jsp/generalError.jsp /WEB-INF/jsp/accessToNoRepos.jsp - + /WEB-INF/jsp/redback/invalidToken.jsp + @@ -174,6 +181,9 @@ /WEB-INF/jsp/deleteArtifact.jsp /WEB-INF/jsp/deleteArtifact.jsp /WEB-INF/jsp/deleteArtifact.jsp + + doDelete + @@ -262,19 +272,25 @@ /WEB-INF/jsp/admin/repositoryGroups.jsp /WEB-INF/jsp/admin/repositoryGroups.jsp repositoryGroups - + + * + /WEB-INF/jsp/admin/deleteRepositoryGroup.jsp - + + * + /WEB-INF/jsp/admin/deleteRepositoryGroup.jsp /WEB-INF/jsp/admin/deleteRepositoryGroup.jsp repositoryGroups - + + * + @@ -334,14 +350,18 @@ /WEB-INF/jsp/admin/deleteRepository.jsp - + + * + /WEB-INF/jsp/admin/deleteRepository.jsp /WEB-INF/jsp/admin/deleteRepository.jsp repositories - + + * + @@ -410,7 +430,9 @@ /WEB-INF/jsp/admin/deleteProxyConnector.jsp proxyConnectors - + + * + @@ -422,7 +444,9 @@ /WEB-INF/jsp/admin/disableProxyConnector.jsp proxyConnectors - + + * + @@ -447,13 +471,17 @@ /WEB-INF/jsp/admin/editNetworkProxy.jsp networkProxies - + + * + /WEB-INF/jsp/admin/deleteNetworkProxy.jsp networkProxies - + + * + @@ -463,6 +491,9 @@ repositoryScanning + + removeFiletypePattern,addFiletypePattern,updateKnownConsumers,updateInvalidConsumers + @@ -507,7 +538,9 @@ /WEB-INF/jsp/admin/legacyArtifactPath.jsp /WEB-INF/jsp/admin/legacyArtifactPath.jsp legacyArtifactPath - + + * + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp index cdd817d9d..19156a36e 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp @@ -46,6 +46,7 @@ + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp index 3a12af02f..fb56d264e 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteProxyConnector.jsp @@ -47,6 +47,7 @@ + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp index 9c6b42db1..5f925e579 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp @@ -63,6 +63,7 @@ +
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp index 83d130f25..69bbd0db4 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepositoryGroup.jsp @@ -56,6 +56,7 @@
+
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp index b496b4122..52c69ba8c 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/disableProxyConnector.jsp @@ -43,6 +43,7 @@ +
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp index 29f8ffef6..f7dd33ec0 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp @@ -50,6 +50,7 @@ + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp index 0a0167c62..2cb6bdcae 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp @@ -73,8 +73,11 @@
<%-- TODO: make some icons --%> + + struts.token + " alt="" width="16" height="16"/> diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp index 44eb18a04..33aec91c5 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp @@ -71,11 +71,14 @@
+ + struts.token + " /> diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp index 83a915c86..c42ba4f54 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxyConnectors.jsp @@ -113,6 +113,7 @@
+ @@ -128,6 +129,8 @@ + struts.token + @@ -136,6 +139,8 @@ + struts.token + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp index 61341928e..312bcd9f0 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp @@ -89,8 +89,11 @@ + + struts.token + " alt="" width="16" height="16"/> @@ -341,8 +344,11 @@ " alt="" width="16" height="16"/> Edit + + struts.token + " alt="" width="16" height="16"/> diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp index 5804cbb95..ec7c8c2dd 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryGroups.jsp @@ -50,6 +50,7 @@ Identifier*: + @@ -71,8 +72,11 @@
+ + struts.token + diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp index 60b59c7f6..ff768c6f6 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositoryScanning.jsp @@ -40,9 +40,9 @@ - - - + + +