[MRM-1468] added validation for adding a managed repository via xmlrpc + unit tests

git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1100956 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 171 insertions, 1 deletions

diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
index b4fb8a213..f59b10550 100644
--- a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
@@ -76,6 +76,10 @@
       <artifactId>maven2-repository</artifactId>
     </dependency>
     <dependency>
+      <groupId>commons-validator</groupId>
+      <artifactId>commons-validator</artifactId>
+    </dependency>
+    <dependency>
       <groupId>org.codehaus.redback</groupId>
       <artifactId>plexus-spring</artifactId>
       <scope>test</scope>
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
index 6ba6fc174..e26787952 100644
--- a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
@@ -38,6 +38,7 @@ import org.apache.archiva.web.xmlrpc.api.beans.ManagedRepository;
 import org.apache.archiva.web.xmlrpc.api.beans.RemoteRepository;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.commons.validator.GenericValidator;
 import org.apache.maven.archiva.configuration.ArchivaConfiguration;
 import org.apache.maven.archiva.configuration.Configuration;
 import org.apache.maven.archiva.configuration.IndeterminateConfigurationException;
@@ -99,6 +100,12 @@ public class AdministrationServiceImpl
 
     private Registry registry;
 
+    private static final String REPOSITORY_ID_VALID_EXPRESSION = "^[a-zA-Z0-9._-]+$";
+
+    private static final String REPOSITORY_NAME_VALID_EXPRESSION = "^([a-zA-Z0-9.)/_(-]|\\s)+$";
+
+    private static final String REPOSITORY_LOCATION_VALID_EXPRESSION = "^[-a-zA-Z0-9._/~:?!&amp;=\\\\]+$";
+
     public AdministrationServiceImpl( ArchivaConfiguration archivaConfig, RepositoryContentConsumers repoConsumersUtil,
                                       RepositoryContentFactory repoFactory,
                                       RepositorySessionFactory repositorySessionFactory,
@@ -387,6 +394,25 @@ public class AdministrationServiceImpl
             throw new Exception( "Invalid cron expression." );
         }
 
+        if( !GenericValidator.matchRegexp( repoId, REPOSITORY_ID_VALID_EXPRESSION ) )
+        {
+            throw new Exception( "Invalid repository ID. Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+        }
+
+        if( !GenericValidator.matchRegexp( name, REPOSITORY_NAME_VALID_EXPRESSION ) )
+        {
+            throw new Exception( "Invalid repository name. Repository Name must only contain alphanumeric characters, white-spaces(' '), " +
+                "forward-slashes(/), open-parenthesis('('), close-parenthesis(')'),  underscores(_), dots(.), and dashes(-)." );
+        }
+
+        String repoLocation = removeExpressions( location );
+
+        if( !GenericValidator.matchRegexp( repoLocation, REPOSITORY_LOCATION_VALID_EXPRESSION ) )
+        {
+            throw new Exception( "Invalid repository location. Directory must only contain alphanumeric characters, equals(=), question-marks(?), " +
+                "exclamation-points(!), ampersands(&amp;), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+        }
+
         ManagedRepositoryConfiguration repository = new ManagedRepositoryConfiguration();
 
         repository.setId( repoId );
@@ -394,7 +420,7 @@ public class AdministrationServiceImpl
         repository.setReleases( releasesIncluded );
         repository.setSnapshots( snapshotsIncluded );
         repository.setName( name );
-        repository.setLocation( removeExpressions( location ) );
+        repository.setLocation( repoLocation );
         repository.setLayout( layout );
         repository.setRefreshCronExpression( cronExpression );
 
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
index c75bb97ba..13fa091d0 100644
--- a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
@@ -953,6 +953,146 @@ public class AdministrationServiceImplTest
         registryControl.verify();
     }
 
+    public void testAddManagedRepositoryInvalidId()
+        throws Exception
+    {
+        String projId = "org.apache.archiva";
+        String repoId = projId + "<script>alert('xss')</script>";
+        String layout = "default";
+        String name = projId + " Releases";
+
+        ManagedRepositoryConfiguration managedRepo = createManagedRepo( "repo1", "default", "repo", true, false );
+        RemoteRepositoryConfiguration remoteRepo = createRemoteRepository( "central", "Central Repository", "default",
+                                                                           "http://repo1.maven.org/maven2" );
+        List<String> repositories = new ArrayList<String>();
+        repositories.add( managedRepo.getName() );
+        RepositoryGroupConfiguration repoGroup = createRepoGroupConfig( "repoGroup", repositories );
+        Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+            new HashMap<String, ManagedRepositoryConfiguration>();
+        Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new HashMap<String, RemoteRepositoryConfiguration>();
+        Map<String, RepositoryGroupConfiguration> repoGroupMap = new HashMap<String, RepositoryGroupConfiguration>();
+        managedRepoMap.put( "repo1", managedRepo );
+        remoteRepoMap.put( "repo1", remoteRepo );
+        repoGroupMap.put( "repo1", repoGroup );
+
+        archivaConfigControl.expectAndReturn( archivaConfig.getConfiguration(), config );
+
+        configControl.expectAndReturn( config.getManagedRepositoriesAsMap(), managedRepoMap );
+        configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(), remoteRepoMap );
+        configControl.expectAndReturn( config.getRepositoryGroupsAsMap(), repoGroupMap );
+
+        archivaConfigControl.replay();
+        configControl.replay();
+
+        try
+        {
+            service.addManagedRepository( repoId, layout, name, "${appserver.base}/test-repository/" + projId + ".releases", true, true, false, true,
+                                                        "0 15 3 * * ? *" );
+            fail( "An exception should have been thrown! Repository ID is not valid." );
+        }
+        catch( Exception e )
+        {
+            assertEquals( "Invalid repository ID. Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).",
+                          e.getMessage() );    
+        }
+    }
+
+    public void testAddManagedRepositoryInvalidName()
+        throws Exception
+    {
+        String projId = "org.apache.archiva";
+        String repoId = projId + ".releases";
+        String layout = "default";
+        String name = projId + " <script>alert('xss')</script>";
+
+        ManagedRepositoryConfiguration managedRepo = createManagedRepo( "repo1", "default", "repo", true, false );
+        RemoteRepositoryConfiguration remoteRepo = createRemoteRepository( "central", "Central Repository", "default",
+                                                                           "http://repo1.maven.org/maven2" );
+        List<String> repositories = new ArrayList<String>();
+        repositories.add( managedRepo.getName() );
+        RepositoryGroupConfiguration repoGroup = createRepoGroupConfig( "repoGroup", repositories );
+        Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+            new HashMap<String, ManagedRepositoryConfiguration>();
+        Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new HashMap<String, RemoteRepositoryConfiguration>();
+        Map<String, RepositoryGroupConfiguration> repoGroupMap = new HashMap<String, RepositoryGroupConfiguration>();
+        managedRepoMap.put( "repo1", managedRepo );
+        remoteRepoMap.put( "repo1", remoteRepo );
+        repoGroupMap.put( "repo1", repoGroup );
+
+        archivaConfigControl.expectAndReturn( archivaConfig.getConfiguration(), config );
+
+        configControl.expectAndReturn( config.getManagedRepositoriesAsMap(), managedRepoMap );
+        configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(), remoteRepoMap );
+        configControl.expectAndReturn( config.getRepositoryGroupsAsMap(), repoGroupMap );
+
+        archivaConfigControl.replay();
+        configControl.replay();
+
+        try
+        {
+            service.addManagedRepository( repoId, layout, name, "${appserver.base}/test-repository/" + projId + ".releases", true, true, false, true,
+                                                        "0 15 3 * * ? *" );
+            fail( "An exception should have been thrown! Repository name is not valid." );
+        }
+        catch( Exception e )
+        {
+            assertEquals( "Invalid repository name. Repository Name must only contain alphanumeric characters, white-spaces(' '), " +
+                "forward-slashes(/), open-parenthesis('('), close-parenthesis(')'),  underscores(_), dots(.), and dashes(-).",
+                          e.getMessage() );
+        }
+    }
+
+    public void testAddManagedRepositoryInvalidLocation()
+        throws Exception
+    {
+        String projId = "org.apache.archiva";
+        String repoId = projId + ".releases";
+        String layout = "default";
+        String name = projId + " Releases";
+        String appserverBase = "target";
+
+        ManagedRepositoryConfiguration managedRepo = createManagedRepo( "repo1", "default", "repo", true, false );
+        RemoteRepositoryConfiguration remoteRepo = createRemoteRepository( "central", "Central Repository", "default",
+                                                                           "http://repo1.maven.org/maven2" );
+        List<String> repositories = new ArrayList<String>();
+        repositories.add( managedRepo.getName() );
+        RepositoryGroupConfiguration repoGroup = createRepoGroupConfig( "repoGroup", repositories );
+        Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+            new HashMap<String, ManagedRepositoryConfiguration>();
+        Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new HashMap<String, RemoteRepositoryConfiguration>();
+        Map<String, RepositoryGroupConfiguration> repoGroupMap = new HashMap<String, RepositoryGroupConfiguration>();
+        managedRepoMap.put( "repo1", managedRepo );
+        remoteRepoMap.put( "repo1", remoteRepo );
+        repoGroupMap.put( "repo1", repoGroup );
+
+        archivaConfigControl.expectAndReturn( archivaConfig.getConfiguration(), config );
+
+        configControl.expectAndReturn( config.getManagedRepositoriesAsMap(), managedRepoMap );
+        configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(), remoteRepoMap );
+        configControl.expectAndReturn( config.getRepositoryGroupsAsMap(), repoGroupMap );
+        registryControl.expectAndReturn( registry.getString( "appserver.base", "${appserver.base}" ), appserverBase );
+        registryControl.expectAndReturn( registry.getString( "appserver.home", "${appserver.home}" ), appserverBase );
+
+        archivaConfigControl.replay();
+        configControl.replay();
+        registryControl.replay();
+
+        try
+        {
+            service.addManagedRepository( repoId, layout, name, "${appserver.base}/<script>alert('xss')</script>" + projId + ".releases", true, true, false, true,
+                                                        "0 15 3 * * ? *" );
+            fail( "An exception should have been thrown! Repository location is not valid." );
+        }
+        catch( Exception e )
+        {
+            assertEquals( "Invalid repository location. Directory must only contain alphanumeric characters, equals(=), question-marks(?), " +
+                "exclamation-points(!), ampersands(&amp;), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-).",
+                          e.getMessage() );
+        }
+
+        registryControl.verify();
+    }
+
     /* private methods */
 
     private void assertRemoteRepo( RemoteRepository remoteRepo, RemoteRepositoryConfiguration expectedRepoConfig )