diff options
author | Martin Stockhammer <martin_s@apache.org> | 2019-04-13 11:59:29 +0200 |
---|---|---|
committer | Martin Stockhammer <martin_s@apache.org> | 2019-04-13 11:59:29 +0200 |
commit | 796716d44183bd315dd20184a66b39ae533eb747 (patch) | |
tree | 9ec8847e92b99be9951623a3b067e816f88ab147 /archiva-modules/archiva-web/archiva-rest/archiva-rest-services | |
parent | 0dea2b64c36272c3aab754c17257e52c4092bf30 (diff) | |
download | archiva-796716d44183bd315dd20184a66b39ae533eb747.tar.gz archiva-796716d44183bd315dd20184a66b39ae533eb747.zip |
Improving URL check for organisation info
Diffstat (limited to 'archiva-modules/archiva-web/archiva-rest/archiva-rest-services')
2 files changed, 58 insertions, 6 deletions
diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java index ff1d3fd18..51144e87a 100644 --- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java +++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java @@ -20,11 +20,7 @@ package org.apache.archiva.rest.services; import org.apache.archiva.admin.model.RepositoryAdminException; import org.apache.archiva.admin.model.admin.ArchivaAdministration; -import org.apache.archiva.admin.model.beans.FileType; -import org.apache.archiva.admin.model.beans.LegacyArtifactPath; -import org.apache.archiva.admin.model.beans.NetworkConfiguration; -import org.apache.archiva.admin.model.beans.OrganisationInformation; -import org.apache.archiva.admin.model.beans.UiConfiguration; +import org.apache.archiva.admin.model.beans.*; import org.apache.archiva.repository.scanner.RepositoryContentConsumers; import org.apache.archiva.rest.api.model.AdminRepositoryConsumer; import org.apache.archiva.rest.api.services.ArchivaAdministrationService; @@ -319,7 +315,7 @@ public class DefaultArchivaAdministrationService } catch ( RepositoryAdminException e ) { - throw new ArchivaRestServiceException( e.getMessage(), e ); + throw new ArchivaRestServiceException( e.getMessage(), 400, e ); } } diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java index e3377f21a..e6a87b003 100644 --- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java +++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java @@ -23,9 +23,11 @@ import org.apache.archiva.admin.model.beans.LegacyArtifactPath; import org.apache.archiva.admin.model.beans.OrganisationInformation; import org.apache.archiva.admin.model.beans.UiConfiguration; import org.apache.archiva.rest.api.model.AdminRepositoryConsumer; +import org.apache.archiva.rest.api.services.ArchivaRestServiceException; import org.apache.commons.lang.StringUtils; import org.junit.Test; +import javax.ws.rs.BadRequestException; import java.util.Arrays; import java.util.List; @@ -93,6 +95,60 @@ public class ArchivaAdministrationServiceTest } @Test + public void badOrganizationLogoLocation() + throws Exception + { + OrganisationInformation organisationInformation = + getArchivaAdministrationService().getOrganisationInformation(); + + // rest return an empty bean + assertNotNull( organisationInformation ); + assertTrue( StringUtils.isBlank( organisationInformation.getLogoLocation() ) ); + assertTrue( StringUtils.isBlank( organisationInformation.getName() ) ); + assertTrue( StringUtils.isBlank( organisationInformation.getUrl() ) ); + + organisationInformation = new OrganisationInformation(); + organisationInformation.setLogoLocation( "http://foo.com'/><svg/onload=alert(/logoLocation_xss/)>" ); + organisationInformation.setName( "foo org" ); + organisationInformation.setUrl( "http://foo.com" ); + + try { + getArchivaAdministrationService().setOrganisationInformation(organisationInformation); + fail("RepositoryAdminException expected. Bad URL content should not be allowed for logo location."); + } catch (BadRequestException e) { + // OK + } + + } + + @Test + public void badOrganizationUrl() + throws Exception + { + OrganisationInformation organisationInformation = + getArchivaAdministrationService().getOrganisationInformation(); + + // rest return an empty bean + assertNotNull( organisationInformation ); + assertTrue( StringUtils.isBlank( organisationInformation.getLogoLocation() ) ); + assertTrue( StringUtils.isBlank( organisationInformation.getName() ) ); + assertTrue( StringUtils.isBlank( organisationInformation.getUrl() ) ); + + organisationInformation = new OrganisationInformation(); + organisationInformation.setLogoLocation( "http://foo.com/logo.jpg" ); + organisationInformation.setName( "foo org" ); + organisationInformation.setUrl( "http://foo.com'/><svg/onload=alert(/url_xss/)>" ); + + try { + getArchivaAdministrationService().setOrganisationInformation(organisationInformation); + fail("RepositoryAdminException expected. Bad URL content should not be allowed for logo location."); + } catch (BadRequestException e) { + // OK + } + + } + + @Test public void uiConfigurationReadUpdate() throws Exception { |