diff options
2 files changed, 58 insertions, 3 deletions
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java index 54d26fb5e..8f065c128 100644 --- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java +++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java @@ -36,9 +36,14 @@ import org.apache.http.impl.conn.PoolingClientConnectionManager; import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.maven.wagon.providers.http.HttpWagon; import org.springframework.stereotype.Service; +import org.springframework.util.ResourceUtils; import javax.annotation.PostConstruct; import javax.annotation.PreDestroy; +import java.io.UnsupportedEncodingException; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.URLEncoder; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -321,16 +326,29 @@ public class DefaultArchivaAdministration return getModelMapper().map( organisationInformation, OrganisationInformation.class ); } + private void checkUrl(String url, String propertyName) throws RepositoryAdminException { + if ( StringUtils.isNotEmpty( url ) ) + { + if ( !ResourceUtils.isUrl( url ) ) + { + throw new RepositoryAdminException( "Bad URL in " + propertyName + ": " + url ); + } + } + + } + @Override public void setOrganisationInformation( OrganisationInformation organisationInformation ) throws RepositoryAdminException { - Configuration configuration = getArchivaConfiguration().getConfiguration(); + checkUrl(organisationInformation.getUrl(), "url"); + checkUrl( organisationInformation.getLogoLocation(), "logoLocation" ); + Configuration configuration = getArchivaConfiguration( ).getConfiguration( ); if ( organisationInformation != null ) { org.apache.archiva.configuration.OrganisationInformation organisationInformationModel = - getModelMapper().map( organisationInformation, - org.apache.archiva.configuration.OrganisationInformation.class ); + getModelMapper( ).map( organisationInformation, + org.apache.archiva.configuration.OrganisationInformation.class ); configuration.setOrganisationInfo( organisationInformationModel ); } else diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java index 2c46004ff..6e3fbd671 100644 --- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java +++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java @@ -217,6 +217,43 @@ public class ArchivaAdministrationTest } @Test + public void badOrganisationInfoLogoLocation( ) + { + try + { + OrganisationInformation newOrganisationInformation = new OrganisationInformation( ); + newOrganisationInformation.setLogoLocation( "'/><svg/onload=alert(/logoLocation_xss/)>" ); + newOrganisationInformation.setName( "foo org" ); + newOrganisationInformation.setUrl( "http://foo.com" ); + archivaAdministration.setOrganisationInformation( newOrganisationInformation ); + fail( "RepositoryAdminException expected. Bad URL content should not be allowed for logo location." ); + } + catch ( RepositoryAdminException e ) + { + // OK + } + } + + @Test + public void badOrganisationInfoUrl( ) + { + try + { + OrganisationInformation newOrganisationInformation = new OrganisationInformation( ); + newOrganisationInformation.setUrl( "'/><svg/onload=alert(/url_xss/)>" ); + newOrganisationInformation.setName( "foo org" ); + newOrganisationInformation.setLogoLocation( "http://foo.com/bar.png" ); + archivaAdministration.setOrganisationInformation( newOrganisationInformation ); + fail( "RepositoryAdminException expected. Bad URL content should not be allowed for logo location." ); + } + catch ( RepositoryAdminException e ) + { + // OK + } + + } + + @Test public void uiConfiguration() throws Exception { |