summaryrefslogtreecommitdiffstats
path: root/archiva-modules/archiva-web/archiva-rest/archiva-rest-services
diff options
context:
space:
mode:
authorMartin Stockhammer <martin_s@apache.org>2019-04-13 11:59:29 +0200
committerMartin Stockhammer <martin_s@apache.org>2019-04-13 11:59:29 +0200
commit796716d44183bd315dd20184a66b39ae533eb747 (patch)
tree9ec8847e92b99be9951623a3b067e816f88ab147 /archiva-modules/archiva-web/archiva-rest/archiva-rest-services
parent0dea2b64c36272c3aab754c17257e52c4092bf30 (diff)
downloadarchiva-796716d44183bd315dd20184a66b39ae533eb747.tar.gz
archiva-796716d44183bd315dd20184a66b39ae533eb747.zip
Improving URL check for organisation info
Diffstat (limited to 'archiva-modules/archiva-web/archiva-rest/archiva-rest-services')
-rw-r--r--archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java8
-rw-r--r--archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java56
2 files changed, 58 insertions, 6 deletions
diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java
index ff1d3fd18..51144e87a 100644
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultArchivaAdministrationService.java
@@ -20,11 +20,7 @@ package org.apache.archiva.rest.services;
import org.apache.archiva.admin.model.RepositoryAdminException;
import org.apache.archiva.admin.model.admin.ArchivaAdministration;
-import org.apache.archiva.admin.model.beans.FileType;
-import org.apache.archiva.admin.model.beans.LegacyArtifactPath;
-import org.apache.archiva.admin.model.beans.NetworkConfiguration;
-import org.apache.archiva.admin.model.beans.OrganisationInformation;
-import org.apache.archiva.admin.model.beans.UiConfiguration;
+import org.apache.archiva.admin.model.beans.*;
import org.apache.archiva.repository.scanner.RepositoryContentConsumers;
import org.apache.archiva.rest.api.model.AdminRepositoryConsumer;
import org.apache.archiva.rest.api.services.ArchivaAdministrationService;
@@ -319,7 +315,7 @@ public class DefaultArchivaAdministrationService
}
catch ( RepositoryAdminException e )
{
- throw new ArchivaRestServiceException( e.getMessage(), e );
+ throw new ArchivaRestServiceException( e.getMessage(), 400, e );
}
}
diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java
index e3377f21a..e6a87b003 100644
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/ArchivaAdministrationServiceTest.java
@@ -23,9 +23,11 @@ import org.apache.archiva.admin.model.beans.LegacyArtifactPath;
import org.apache.archiva.admin.model.beans.OrganisationInformation;
import org.apache.archiva.admin.model.beans.UiConfiguration;
import org.apache.archiva.rest.api.model.AdminRepositoryConsumer;
+import org.apache.archiva.rest.api.services.ArchivaRestServiceException;
import org.apache.commons.lang.StringUtils;
import org.junit.Test;
+import javax.ws.rs.BadRequestException;
import java.util.Arrays;
import java.util.List;
@@ -93,6 +95,60 @@ public class ArchivaAdministrationServiceTest
}
@Test
+ public void badOrganizationLogoLocation()
+ throws Exception
+ {
+ OrganisationInformation organisationInformation =
+ getArchivaAdministrationService().getOrganisationInformation();
+
+ // rest return an empty bean
+ assertNotNull( organisationInformation );
+ assertTrue( StringUtils.isBlank( organisationInformation.getLogoLocation() ) );
+ assertTrue( StringUtils.isBlank( organisationInformation.getName() ) );
+ assertTrue( StringUtils.isBlank( organisationInformation.getUrl() ) );
+
+ organisationInformation = new OrganisationInformation();
+ organisationInformation.setLogoLocation( "http://foo.com'/><svg/onload=alert(/logoLocation_xss/)>" );
+ organisationInformation.setName( "foo org" );
+ organisationInformation.setUrl( "http://foo.com" );
+
+ try {
+ getArchivaAdministrationService().setOrganisationInformation(organisationInformation);
+ fail("RepositoryAdminException expected. Bad URL content should not be allowed for logo location.");
+ } catch (BadRequestException e) {
+ // OK
+ }
+
+ }
+
+ @Test
+ public void badOrganizationUrl()
+ throws Exception
+ {
+ OrganisationInformation organisationInformation =
+ getArchivaAdministrationService().getOrganisationInformation();
+
+ // rest return an empty bean
+ assertNotNull( organisationInformation );
+ assertTrue( StringUtils.isBlank( organisationInformation.getLogoLocation() ) );
+ assertTrue( StringUtils.isBlank( organisationInformation.getName() ) );
+ assertTrue( StringUtils.isBlank( organisationInformation.getUrl() ) );
+
+ organisationInformation = new OrganisationInformation();
+ organisationInformation.setLogoLocation( "http://foo.com/logo.jpg" );
+ organisationInformation.setName( "foo org" );
+ organisationInformation.setUrl( "http://foo.com'/><svg/onload=alert(/url_xss/)>" );
+
+ try {
+ getArchivaAdministrationService().setOrganisationInformation(organisationInformation);
+ fail("RepositoryAdminException expected. Bad URL content should not be allowed for logo location.");
+ } catch (BadRequestException e) {
+ // OK
+ }
+
+ }
+
+ @Test
public void uiConfigurationReadUpdate()
throws Exception
{