Improving URL check for organisation info

author: Martin Stockhammer <martin_s@apache.org> 2019-04-13 11:59:29 +0200
committer: Martin Stockhammer <martin_s@apache.org> 2019-04-13 11:59:29 +0200
commit: 796716d44183bd315dd20184a66b39ae533eb747 (patch)
tree: 9ec8847e92b99be9951623a3b067e816f88ab147 /archiva-modules/archiva-base/archiva-repository-admin
parent: 0dea2b64c36272c3aab754c17257e52c4092bf30 (diff)
download: archiva-796716d44183bd315dd20184a66b39ae533eb747.tar.gz
archiva-796716d44183bd315dd20184a66b39ae533eb747.zip
2 files changed, 16 insertions, 16 deletions
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
index 1ba104863..3be9f58dd 100644
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
@@ -21,20 +21,14 @@ package org.apache.archiva.admin.repository.admin;
 import org.apache.archiva.admin.model.AuditInformation;
 import org.apache.archiva.admin.model.RepositoryAdminException;
 import org.apache.archiva.admin.model.admin.ArchivaAdministration;
-import org.apache.archiva.admin.model.beans.FileType;
-import org.apache.archiva.admin.model.beans.LegacyArtifactPath;
-import org.apache.archiva.admin.model.beans.NetworkConfiguration;
-import org.apache.archiva.admin.model.beans.OrganisationInformation;
-import org.apache.archiva.admin.model.beans.UiConfiguration;
+import org.apache.archiva.admin.model.beans.*;
 import org.apache.archiva.admin.repository.AbstractRepositoryAdmin;
 import org.apache.archiva.configuration.Configuration;
 import org.apache.archiva.configuration.UserInterfaceOptions;
 import org.apache.archiva.configuration.WebappConfiguration;
 import org.apache.archiva.metadata.model.facets.AuditEvent;
-import org.apache.commons.codec.net.URLCodec;
 import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
-import org.apache.http.impl.conn.PoolingClientConnectionManager;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.maven.wagon.providers.http.HttpWagon;
 import org.springframework.stereotype.Service;
@@ -42,10 +36,8 @@ import org.springframework.util.ResourceUtils;
 
 import javax.annotation.PostConstruct;
 import javax.annotation.PreDestroy;
-import java.io.UnsupportedEncodingException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLEncoder;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -328,14 +320,21 @@ public class DefaultArchivaAdministration
         return getModelMapper().map( organisationInformation, OrganisationInformation.class );
     }
 
-    private void checkUrl(String url, String propertyName)  throws RepositoryAdminException {
+    private String fixUrl(String url, String propertyName)  throws RepositoryAdminException {
         if ( StringUtils.isNotEmpty( url ) )
         {
             if ( !ResourceUtils.isUrl( url ) )
             {
                 throw new RepositoryAdminException( "Bad URL in " + propertyName + ": " + url );
             }
+            try {
+                URI urlToCheck = new URI(url);
+                return urlToCheck.toString();
+            } catch (URISyntaxException e) {
+                throw new RepositoryAdminException( "Bad URL in " + propertyName + ": " + url );
+            }
         }
+        return url;
 
     }
 
@@ -347,8 +346,9 @@ public class DefaultArchivaAdministration
     public void setOrganisationInformation( OrganisationInformation organisationInformation )
         throws RepositoryAdminException
     {
-        checkUrl(organisationInformation.getUrl(), "url");
-        checkUrl( organisationInformation.getLogoLocation(), "logoLocation" );
+
+        organisationInformation.setUrl(fixUrl(organisationInformation.getUrl(), "url"));
+        organisationInformation.setLogoLocation(fixUrl( organisationInformation.getLogoLocation(), "logoLocation" ));
         Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
         if ( organisationInformation != null )
         {
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
index 9bb9ed443..e597de438 100644
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
@@ -222,7 +222,7 @@ public class ArchivaAdministrationTest
         try
         {
             OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
-            newOrganisationInformation.setLogoLocation( "'/><svg/onload=alert(/logoLocation_xss/)>" );
+            newOrganisationInformation.setLogoLocation( "http://www.foo.com'/><svg/onload=alert(/logoLocation_xss/)>" );
             newOrganisationInformation.setName( "foo org" );
             newOrganisationInformation.setUrl( "http://foo.com" );
             archivaAdministration.setOrganisationInformation( newOrganisationInformation );
@@ -240,7 +240,7 @@ public class ArchivaAdministrationTest
         try
         {
             OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
-            newOrganisationInformation.setUrl( "'/><svg/onload=alert(/url_xss/)>" );
+            newOrganisationInformation.setUrl( "http://foo.com'/><svg/onload=alert(/url_xss/)>" );
             newOrganisationInformation.setName( "foo org" );
             newOrganisationInformation.setLogoLocation( "http://foo.com/bar.png" );
             archivaAdministration.setOrganisationInformation( newOrganisationInformation );
author	Martin Stockhammer <martin_s@apache.org>	2019-04-13 11:59:29 +0200
committer	Martin Stockhammer <martin_s@apache.org>	2019-04-13 11:59:29 +0200
commit	796716d44183bd315dd20184a66b39ae533eb747 (patch)
tree	9ec8847e92b99be9951623a3b067e816f88ab147 /archiva-modules/archiva-base/archiva-repository-admin
parent	0dea2b64c36272c3aab754c17257e52c4092bf30 (diff)
download	archiva-796716d44183bd315dd20184a66b39ae533eb747.tar.gz archiva-796716d44183bd315dd20184a66b39ae533eb747.zip