Joe,
I think these checks in AbstractRepository should go into the Artifact
class itself. That way, no Artifact instance could ever be created
with a bad group, or artifact name, etc. Also, as a double check I
would add the following to Maven2Repository.getLocation() in order to
check if the created path is still rooted at the rootFile:
if (!path.getCanonicalPath().startsWith(rootFile.getCanonicalPath()) {
throw new RuntimeException("File " + path + " is not rooted at " + rootFile);
}
Jarek
On Wed, Dec 17, 2008 at 10:54 PM, <[email protected]> wrote:
> Author: jbohn
> Date: Wed Dec 17 19:54:10 2008
> New Revision: 727631
>
> URL: http://svn.apache.org/viewvc?rev=727631&view=rev
> Log:
> GERONIMO-4473 validate group, artifact, version and type when adding an
> archive to the repo
>
> Modified:
>
> geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
>
> geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
>
> Modified:
> geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
> URL:
> http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java?rev=727631&r1=727630&r2=727631&view=diff
> ==============================================================================
> ---
> geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
> (original)
> +++
> geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
> Wed Dec 17 19:54:10 2008
> @@ -27,6 +27,8 @@
> import java.util.HashMap;
> import java.util.LinkedHashSet;
> import java.util.Map;
> +import java.util.regex.Matcher;
> +import java.util.regex.Pattern;
> import java.util.zip.ZipEntry;
> import java.util.zip.ZipException;
> import java.util.zip.ZipFile;
> @@ -50,6 +52,7 @@
> public abstract class AbstractRepository implements WriteableRepository {
> protected final Logger log = LoggerFactory.getLogger(getClass());
> private final static ArtifactTypeHandler DEFAULT_TYPE_HANDLER = new
> CopyArtifactTypeHandler();
> + private final static Pattern ILLEGAL_CHARS =
> Pattern.compile("[\\.]{2}|[()<>,;:\\\\/\"\']");
> protected final File rootFile;
> private final Map<String, ArtifactTypeHandler> typeHandlers = new
> HashMap<String, ArtifactTypeHandler>();
>
> @@ -153,6 +156,20 @@
> }
>
> public void copyToRepository(File source, Artifact destination,
> FileWriteMonitor monitor) throws IOException {
> +
> + // ensure there are no illegal chars in destination elements
> + Matcher groupMatcher =
> ILLEGAL_CHARS.matcher(destination.getGroupId());
> + Matcher artifactMatcher =
> ILLEGAL_CHARS.matcher(destination.getArtifactId());
> + Matcher versionMatcher =
> ILLEGAL_CHARS.matcher(destination.getVersion().toString());
> + Matcher typeMatcher = ILLEGAL_CHARS.matcher(destination.getType());
> + if (groupMatcher.find() ||
> + artifactMatcher.find() ||
> + versionMatcher.find() ||
> + typeMatcher.find())
> + {
> + throw new IllegalArgumentException("Artifact "+destination+"
> contains illegal characters, .. ( ) < > , ; : / \\ \' \" ");
> + }
> +
> if(!destination.isResolved()) {
> throw new IllegalArgumentException("Artifact "+destination+" is
> not fully resolved");
> }
>
> Modified:
> geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
> URL:
> http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp?rev=727631&r1=727630&r2=727631&view=diff
> ==============================================================================
> ---
> geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
> (original)
> +++
> geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
> Wed Dec 17 19:54:10 2008
> @@ -37,7 +37,8 @@
> </style>
>
> <script language="JavaScript">
> -function <portlet:namespace/>validate() {
> +function <portlet:namespace/>validateForm() {
> + var illegalChars= /[\.]{2}|[()<>,;:\\/"']/ ;
> if (! (document.<portlet:namespace/>fileSelect.local.value
> && document.<portlet:namespace/>fileSelect.group.value
> && document.<portlet:namespace/>fileSelect.artifact.value
> @@ -46,6 +47,18 @@
> {
> alert("File, Group, Artifact, Version, and Type are all required
> fields");
> return false;
> + } else if
> (document.<portlet:namespace/>fileSelect.group.value.match(illegalChars)) {
> + alert("Group contains invalid characters - must only contain letters,
> numbers, and underscores");
> + return false;
> + } else if
> (document.<portlet:namespace/>fileSelect.artifact.value.match(illegalChars)) {
> + alert("Artifact contains invalid characters - must only contain
> letters, numbers, and underscores");
> + return false;
> + } else if
> (document.<portlet:namespace/>fileSelect.version.value.match(illegalChars)) {
> + alert("Version contains invalid characters - must only contain
> letters, numbers, and underscores");
> + return false;
> + } else if
> (document.<portlet:namespace/>fileSelect.fileType.value.match(illegalChars)) {
> + alert("File type contains invalid characters - must only contain
> letters, numbers, and underscores");
> + return false;
> }
> }
>
> @@ -94,7 +107,7 @@
> <table width="100%">
> <tr>
> <td align="center">
> - <form onsubmit="return <portlet:namespace/>validate();"
> enctype="multipart/form-data" name="<portlet:namespace/>fileSelect"
> method="POST" action="<portlet:actionURL><portlet:param name="action"
> value="deploy"/></portlet:actionURL>">
> + <form onsubmit="return <portlet:namespace/>validateForm();"
> enctype="multipart/form-data" name="<portlet:namespace/>fileSelect"
> method="POST" action="<portlet:actionURL><portlet:param name="action"
> value="deploy"/></portlet:actionURL>">
> <table>
> <tr>
> <th colspan="2"><fmt:message
> key="repository.normal.addArchiveToRepository"/></th>
>
>
>
