This is an automated email from the ASF dual-hosted git repository. martin_s pushed a commit to branch archiva-2.x in repository https://gitbox.apache.org/repos/asf/archiva.git
commit a36035b49ba7d6514d6c386b51e1ad2512371b3d Author: Martin Stockhammer <[email protected]> AuthorDate: Fri Feb 22 21:10:19 2019 +0100 Add url validation for certain fields --- .../admin/DefaultArchivaAdministration.java | 24 ++++++++++++-- .../admin/ArchivaAdministrationTest.java | 37 ++++++++++++++++++++++ 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java index 54d26fb..8f065c1 100644 --- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java +++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java @@ -36,9 +36,14 @@ import org.apache.http.impl.conn.PoolingClientConnectionManager; import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.maven.wagon.providers.http.HttpWagon; import org.springframework.stereotype.Service; +import org.springframework.util.ResourceUtils; import javax.annotation.PostConstruct; import javax.annotation.PreDestroy; +import java.io.UnsupportedEncodingException; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.URLEncoder; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -321,16 +326,29 @@ public class DefaultArchivaAdministration return getModelMapper().map( organisationInformation, OrganisationInformation.class ); } + private void checkUrl(String url, String propertyName) throws RepositoryAdminException { + if ( StringUtils.isNotEmpty( url ) ) + { + if ( !ResourceUtils.isUrl( url ) ) + { + throw new RepositoryAdminException( "Bad URL in " + propertyName + ": " + url ); + } + } + + } + @Override public void setOrganisationInformation( OrganisationInformation organisationInformation ) throws RepositoryAdminException { - Configuration configuration = getArchivaConfiguration().getConfiguration(); + checkUrl(organisationInformation.getUrl(), "url"); + checkUrl( organisationInformation.getLogoLocation(), "logoLocation" ); + Configuration configuration = getArchivaConfiguration( ).getConfiguration( ); if ( organisationInformation != null ) { org.apache.archiva.configuration.OrganisationInformation organisationInformationModel = - getModelMapper().map( organisationInformation, - org.apache.archiva.configuration.OrganisationInformation.class ); + getModelMapper( ).map( organisationInformation, + org.apache.archiva.configuration.OrganisationInformation.class ); configuration.setOrganisationInfo( organisationInformationModel ); } else diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java index 2c46004..6e3fbd6 100644 --- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java +++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java @@ -217,6 +217,43 @@ public class ArchivaAdministrationTest } @Test + public void badOrganisationInfoLogoLocation( ) + { + try + { + OrganisationInformation newOrganisationInformation = new OrganisationInformation( ); + newOrganisationInformation.setLogoLocation( "'/><svg/onload=alert(/logoLocation_xss/)>" ); + newOrganisationInformation.setName( "foo org" ); + newOrganisationInformation.setUrl( "http://foo.com"; ); + archivaAdministration.setOrganisationInformation( newOrganisationInformation ); + fail( "RepositoryAdminException expected. Bad URL content should not be allowed for logo location." ); + } + catch ( RepositoryAdminException e ) + { + // OK + } + } + + @Test + public void badOrganisationInfoUrl( ) + { + try + { + OrganisationInformation newOrganisationInformation = new OrganisationInformation( ); + newOrganisationInformation.setUrl( "'/><svg/onload=alert(/url_xss/)>" ); + newOrganisationInformation.setName( "foo org" ); + newOrganisationInformation.setLogoLocation( "http://foo.com/bar.png"; ); + archivaAdministration.setOrganisationInformation( newOrganisationInformation ); + fail( "RepositoryAdminException expected. Bad URL content should not be allowed for logo location." ); + } + catch ( RepositoryAdminException e ) + { + // OK + } + + } + + @Test public void uiConfiguration() throws Exception {
![http://foo.com/bar.png"](http://foo.com/bar.png"){kind=link}