Author: oching
Date: Mon May 9 11:00:12 2011
New Revision: 1100956
URL: http://svn.apache.org/viewvc?rev=1100956&view=rev
Log:
[MRM-1468] added validation for adding a managed repository via xmlrpc + unit
tests
Modified:
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
archiva/trunk/pom.xml
Modified:
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
URL:
http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml?rev=1100956&r1=1100955&r2=1100956&view=diff
==============================================================================
---
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
(original)
+++
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/pom.xml
Mon May 9 11:00:12 2011
@@ -76,6 +76,10 @@
<artifactId>maven2-repository</artifactId>
</dependency>
<dependency>
+ <groupId>commons-validator</groupId>
+ <artifactId>commons-validator</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.codehaus.redback</groupId>
<artifactId>plexus-spring</artifactId>
<scope>test</scope>
Modified:
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
URL:
http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java?rev=1100956&r1=1100955&r2=1100956&view=diff
==============================================================================
---
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
(original)
+++
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/main/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImpl.java
Mon May 9 11:00:12 2011
@@ -38,6 +38,7 @@ import org.apache.archiva.web.xmlrpc.api
import org.apache.archiva.web.xmlrpc.api.beans.RemoteRepository;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.commons.validator.GenericValidator;
import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.Configuration;
import
org.apache.maven.archiva.configuration.IndeterminateConfigurationException;
@@ -99,6 +100,12 @@ public class AdministrationServiceImpl
private Registry registry;
+ private static final String REPOSITORY_ID_VALID_EXPRESSION =
"^[a-zA-Z0-9._-]+$";
+
+ private static final String REPOSITORY_NAME_VALID_EXPRESSION =
"^([a-zA-Z0-9.)/_(-]|\\s)+$";
+
+ private static final String REPOSITORY_LOCATION_VALID_EXPRESSION =
"^[-a-zA-Z0-9._/~:?!&=\\\\]+$";
+
public AdministrationServiceImpl( ArchivaConfiguration archivaConfig,
RepositoryContentConsumers repoConsumersUtil,
RepositoryContentFactory repoFactory,
RepositorySessionFactory
repositorySessionFactory,
@@ -387,6 +394,25 @@ public class AdministrationServiceImpl
throw new Exception( "Invalid cron expression." );
}
+ if( !GenericValidator.matchRegexp( repoId,
REPOSITORY_ID_VALID_EXPRESSION ) )
+ {
+ throw new Exception( "Invalid repository ID. Identifier must only
contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ if( !GenericValidator.matchRegexp( name,
REPOSITORY_NAME_VALID_EXPRESSION ) )
+ {
+ throw new Exception( "Invalid repository name. Repository Name
must only contain alphanumeric characters, white-spaces(' '), " +
+ "forward-slashes(/), open-parenthesis('('),
close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
+ }
+
+ String repoLocation = removeExpressions( location );
+
+ if( !GenericValidator.matchRegexp( repoLocation,
REPOSITORY_LOCATION_VALID_EXPRESSION ) )
+ {
+ throw new Exception( "Invalid repository location. Directory must
only contain alphanumeric characters, equals(=), question-marks(?), " +
+ "exclamation-points(!), ampersands(&), forward-slashes(/),
back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and
dashes(-)." );
+ }
+
ManagedRepositoryConfiguration repository = new
ManagedRepositoryConfiguration();
repository.setId( repoId );
@@ -394,7 +420,7 @@ public class AdministrationServiceImpl
repository.setReleases( releasesIncluded );
repository.setSnapshots( snapshotsIncluded );
repository.setName( name );
- repository.setLocation( removeExpressions( location ) );
+ repository.setLocation( repoLocation );
repository.setLayout( layout );
repository.setRefreshCronExpression( cronExpression );
Modified:
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
URL:
http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java?rev=1100956&r1=1100955&r2=1100956&view=diff
==============================================================================
---
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
(original)
+++
archiva/trunk/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-services/src/test/java/org/apache/archiva/web/xmlrpc/services/AdministrationServiceImplTest.java
Mon May 9 11:00:12 2011
@@ -953,6 +953,146 @@ public class AdministrationServiceImplTe
registryControl.verify();
}
+ public void testAddManagedRepositoryInvalidId()
+ throws Exception
+ {
+ String projId = "org.apache.archiva";
+ String repoId = projId + "<script>alert('xss')</script>";
+ String layout = "default";
+ String name = projId + " Releases";
+
+ ManagedRepositoryConfiguration managedRepo = createManagedRepo(
"repo1", "default", "repo", true, false );
+ RemoteRepositoryConfiguration remoteRepo = createRemoteRepository(
"central", "Central Repository", "default",
+
"http://repo1.maven.org/maven2"; );
+ List<String> repositories = new ArrayList<String>();
+ repositories.add( managedRepo.getName() );
+ RepositoryGroupConfiguration repoGroup = createRepoGroupConfig(
"repoGroup", repositories );
+ Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+ new HashMap<String, ManagedRepositoryConfiguration>();
+ Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new
HashMap<String, RemoteRepositoryConfiguration>();
+ Map<String, RepositoryGroupConfiguration> repoGroupMap = new
HashMap<String, RepositoryGroupConfiguration>();
+ managedRepoMap.put( "repo1", managedRepo );
+ remoteRepoMap.put( "repo1", remoteRepo );
+ repoGroupMap.put( "repo1", repoGroup );
+
+ archivaConfigControl.expectAndReturn(
archivaConfig.getConfiguration(), config );
+
+ configControl.expectAndReturn( config.getManagedRepositoriesAsMap(),
managedRepoMap );
+ configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(),
remoteRepoMap );
+ configControl.expectAndReturn( config.getRepositoryGroupsAsMap(),
repoGroupMap );
+
+ archivaConfigControl.replay();
+ configControl.replay();
+
+ try
+ {
+ service.addManagedRepository( repoId, layout, name,
"${appserver.base}/test-repository/" + projId + ".releases", true, true, false,
true,
+ "0 15 3 * * ? *" );
+ fail( "An exception should have been thrown! Repository ID is not
valid." );
+ }
+ catch( Exception e )
+ {
+ assertEquals( "Invalid repository ID. Identifier must only contain
alphanumeric characters, underscores(_), dots(.), and dashes(-).",
+ e.getMessage() );
+ }
+ }
+
+ public void testAddManagedRepositoryInvalidName()
+ throws Exception
+ {
+ String projId = "org.apache.archiva";
+ String repoId = projId + ".releases";
+ String layout = "default";
+ String name = projId + " <script>alert('xss')</script>";
+
+ ManagedRepositoryConfiguration managedRepo = createManagedRepo(
"repo1", "default", "repo", true, false );
+ RemoteRepositoryConfiguration remoteRepo = createRemoteRepository(
"central", "Central Repository", "default",
+
"http://repo1.maven.org/maven2"; );
+ List<String> repositories = new ArrayList<String>();
+ repositories.add( managedRepo.getName() );
+ RepositoryGroupConfiguration repoGroup = createRepoGroupConfig(
"repoGroup", repositories );
+ Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+ new HashMap<String, ManagedRepositoryConfiguration>();
+ Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new
HashMap<String, RemoteRepositoryConfiguration>();
+ Map<String, RepositoryGroupConfiguration> repoGroupMap = new
HashMap<String, RepositoryGroupConfiguration>();
+ managedRepoMap.put( "repo1", managedRepo );
+ remoteRepoMap.put( "repo1", remoteRepo );
+ repoGroupMap.put( "repo1", repoGroup );
+
+ archivaConfigControl.expectAndReturn(
archivaConfig.getConfiguration(), config );
+
+ configControl.expectAndReturn( config.getManagedRepositoriesAsMap(),
managedRepoMap );
+ configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(),
remoteRepoMap );
+ configControl.expectAndReturn( config.getRepositoryGroupsAsMap(),
repoGroupMap );
+
+ archivaConfigControl.replay();
+ configControl.replay();
+
+ try
+ {
+ service.addManagedRepository( repoId, layout, name,
"${appserver.base}/test-repository/" + projId + ".releases", true, true, false,
true,
+ "0 15 3 * * ? *" );
+ fail( "An exception should have been thrown! Repository name is
not valid." );
+ }
+ catch( Exception e )
+ {
+ assertEquals( "Invalid repository name. Repository Name must only
contain alphanumeric characters, white-spaces(' '), " +
+ "forward-slashes(/), open-parenthesis('('),
close-parenthesis(')'), underscores(_), dots(.), and dashes(-).",
+ e.getMessage() );
+ }
+ }
+
+ public void testAddManagedRepositoryInvalidLocation()
+ throws Exception
+ {
+ String projId = "org.apache.archiva";
+ String repoId = projId + ".releases";
+ String layout = "default";
+ String name = projId + " Releases";
+ String appserverBase = "target";
+
+ ManagedRepositoryConfiguration managedRepo = createManagedRepo(
"repo1", "default", "repo", true, false );
+ RemoteRepositoryConfiguration remoteRepo = createRemoteRepository(
"central", "Central Repository", "default",
+
"http://repo1.maven.org/maven2"; );
+ List<String> repositories = new ArrayList<String>();
+ repositories.add( managedRepo.getName() );
+ RepositoryGroupConfiguration repoGroup = createRepoGroupConfig(
"repoGroup", repositories );
+ Map<String, ManagedRepositoryConfiguration> managedRepoMap =
+ new HashMap<String, ManagedRepositoryConfiguration>();
+ Map<String, RemoteRepositoryConfiguration> remoteRepoMap = new
HashMap<String, RemoteRepositoryConfiguration>();
+ Map<String, RepositoryGroupConfiguration> repoGroupMap = new
HashMap<String, RepositoryGroupConfiguration>();
+ managedRepoMap.put( "repo1", managedRepo );
+ remoteRepoMap.put( "repo1", remoteRepo );
+ repoGroupMap.put( "repo1", repoGroup );
+
+ archivaConfigControl.expectAndReturn(
archivaConfig.getConfiguration(), config );
+
+ configControl.expectAndReturn( config.getManagedRepositoriesAsMap(),
managedRepoMap );
+ configControl.expectAndReturn( config.getRemoteRepositoriesAsMap(),
remoteRepoMap );
+ configControl.expectAndReturn( config.getRepositoryGroupsAsMap(),
repoGroupMap );
+ registryControl.expectAndReturn( registry.getString( "appserver.base",
"${appserver.base}" ), appserverBase );
+ registryControl.expectAndReturn( registry.getString( "appserver.home",
"${appserver.home}" ), appserverBase );
+
+ archivaConfigControl.replay();
+ configControl.replay();
+ registryControl.replay();
+
+ try
+ {
+ service.addManagedRepository( repoId, layout, name,
"${appserver.base}/<script>alert('xss')</script>" + projId + ".releases", true,
true, false, true,
+ "0 15 3 * * ? *" );
+ fail( "An exception should have been thrown! Repository location
is not valid." );
+ }
+ catch( Exception e )
+ {
+ assertEquals( "Invalid repository location. Directory must only
contain alphanumeric characters, equals(=), question-marks(?), " +
+ "exclamation-points(!), ampersands(&), forward-slashes(/),
back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and
dashes(-).",
+ e.getMessage() );
+ }
+
+ registryControl.verify();
+ }
+
/* private methods */
private void assertRemoteRepo( RemoteRepository remoteRepo,
RemoteRepositoryConfiguration expectedRepoConfig )
Modified: archiva/trunk/pom.xml
URL:
http://svn.apache.org/viewvc/archiva/trunk/pom.xml?rev=1100956&r1=1100955&r2=1100956&view=diff
==============================================================================
--- archiva/trunk/pom.xml (original)
+++ archiva/trunk/pom.xml Mon May 9 11:00:12 2011
@@ -1056,6 +1056,17 @@
<version>${binder.version}</version>
</dependency>
<dependency>
+ <groupId>commons-validator</groupId>
+ <artifactId>commons-validator</artifactId>
+ <version>1.3.1</version>
+ <exclusions>
+ <exclusion>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
<groupId>com.atlassian.xmlrpc</groupId>
<artifactId>atlassian-xmlrpc-binder-testing</artifactId>
<version>${binder.version}</version>
