From ed30dd2e73019a30db58f5be7fe027cd9aea9969 Mon Sep 17 00:00:00 2001 From: Teryk Bellahsene Date: Thu, 19 May 2016 16:23:56 +0200 Subject: [PATCH] SONAR-6964 Do not display administration sensitive data when opening browser history --- .../src/test/java/it/Category4Suite.java | 3 + .../test/java/it/http/HttpHeadersTest.java | 104 ++++++++++++++++++ .../lib/action_controller/response.rb | 2 +- 3 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 it/it-tests/src/test/java/it/http/HttpHeadersTest.java diff --git a/it/it-tests/src/test/java/it/Category4Suite.java b/it/it-tests/src/test/java/it/Category4Suite.java index ea5ecc1175e..a12a4f39779 100644 --- a/it/it-tests/src/test/java/it/Category4Suite.java +++ b/it/it-tests/src/test/java/it/Category4Suite.java @@ -30,6 +30,7 @@ import it.dbCleaner.PurgeTest; import it.duplication.CrossProjectDuplicationsOnRemoveFileTest; import it.duplication.CrossProjectDuplicationsTest; import it.duplication.DuplicationsTest; +import it.http.HttpHeadersTest; import it.projectComparison.ProjectComparisonTest; import it.projectEvent.EventTest; import it.serverSystem.ServerSystemTest; @@ -82,6 +83,8 @@ import static util.ItUtils.xooPlugin; ProjectComparisonTest.class, // component search AllProjectsTest.class, + // http + HttpHeadersTest.class, // ui UiTest.class, // ui extensions diff --git a/it/it-tests/src/test/java/it/http/HttpHeadersTest.java b/it/it-tests/src/test/java/it/http/HttpHeadersTest.java new file mode 100644 index 00000000000..c03ab8536cf --- /dev/null +++ b/it/it-tests/src/test/java/it/http/HttpHeadersTest.java @@ -0,0 +1,104 @@ +/* + * SonarQube + * Copyright (C) 2009-2016 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ + +package it.http; + +import com.google.common.base.Throwables; +import com.sonar.orchestrator.Orchestrator; +import com.squareup.okhttp.CacheControl; +import com.squareup.okhttp.OkHttpClient; +import com.squareup.okhttp.Request; +import com.squareup.okhttp.Response; +import it.Category4Suite; +import java.io.IOException; +import org.junit.ClassRule; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import util.QaOnly; + +import static org.assertj.core.api.Assertions.assertThat; + +@Category(QaOnly.class) +public class HttpHeadersTest { + + @ClassRule + public static final Orchestrator orchestrator = Category4Suite.ORCHESTRATOR; + + /** + * SONAR-6964 + */ + @Test + public void no_browser_cache_for_pages() { + Response httpResponse = call(orchestrator.getServer().getUrl() + "/"); + + assertNoCacheInBrowser(httpResponse); + } + + @Test + public void no_browser_cache_for_ws() { + Response httpResponse = call(orchestrator.getServer().getUrl() + "/api/issues/search"); + + assertNoCacheInBrowser(httpResponse); + } + + @Test + public void no_browser_cache_in_ruby_ws() { + Response httpResponse = call(orchestrator.getServer().getUrl() + "/api/resources/index"); + + assertNoCacheInBrowser(httpResponse); + } + + @Test + public void browser_cache_on_images() { + Response httpResponse = call(orchestrator.getServer().getUrl() + "/images/logo.svg"); + + assertCacheInBrowser(httpResponse); + } + + @Test + public void browser_cache_on_css() { + Response httpResponse = call(orchestrator.getServer().getUrl() + "/css/sonar.css"); + + assertCacheInBrowser(httpResponse); + } + + private static void assertCacheInBrowser(Response httpResponse) { + CacheControl cacheControl = httpResponse.cacheControl(); + assertThat(cacheControl.mustRevalidate()).isFalse(); + assertThat(cacheControl.noCache()).isFalse(); + assertThat(cacheControl.noStore()).isFalse(); + } + + private static void assertNoCacheInBrowser(Response httpResponse) { + CacheControl cacheControl = httpResponse.cacheControl(); + assertThat(cacheControl.mustRevalidate()).isTrue(); + assertThat(cacheControl.noCache()).isTrue(); + assertThat(cacheControl.noStore()).isTrue(); + } + + private static Response call(String url) { + Request request = new Request.Builder().get().url(url).build(); + try { + return new OkHttpClient().newCall(request).execute(); + } catch (IOException e) { + throw Throwables.propagate(e); + } + } +} diff --git a/server/sonar-web/src/main/webapp/WEB-INF/gems/gems/actionpack-2.3.15/lib/action_controller/response.rb b/server/sonar-web/src/main/webapp/WEB-INF/gems/gems/actionpack-2.3.15/lib/action_controller/response.rb index ff1702e845e..ac1b6d181c4 100644 --- a/server/sonar-web/src/main/webapp/WEB-INF/gems/gems/actionpack-2.3.15/lib/action_controller/response.rb +++ b/server/sonar-web/src/main/webapp/WEB-INF/gems/gems/actionpack-2.3.15/lib/action_controller/response.rb @@ -204,7 +204,7 @@ module ActionController # :nodoc: def set_conditional_cache_control! if headers['Cache-Control'] == DEFAULT_HEADERS['Cache-Control'] - headers['Cache-Control'] = 'private, max-age=0, must-revalidate' + headers['Cache-Control'] = 'no-cache, no-store, must-revalidate' end end -- 2.39.5