You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by oc...@apache.org on 2011/05/03 04:54:21 UTC
svn commit: r1098897 [1/3] - in
/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web:
archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/
archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/
archiva-webapp/src/mai...
Author: oching
Date: Tue May 3 02:54:19 2011
New Revision: 1098897
URL: http://svn.apache.org/viewvc?rev=1098897&view=rev
Log:
[MRM-1468] Fix XSS vulnerability in Archiva
submitted by Marc Jansen Tan Chua
o tightened up validation on input/edit forms + unit tests
o added selenium tests for XSS vunerabilities
o used c:out in some of the pages so output will be escaped if containing html characters
Added:
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/XSSSecurityTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/DeleteArtifactActionTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/legacy/
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathActionTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/networkproxies/
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyActionTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/repositories/AbstractManagedRepositoryActionTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/validator/
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/validator/utils/
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/validator/utils/ValidatorUtil.java
Modified:
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/AppearanceTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/ArtifactManagementTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/LegacySupportTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/NetworkProxiesTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/RepositoryTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArchivaTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArtifactManagementTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractRepositoryTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractSeleniumTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyAction.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryAction.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryAction.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/DeleteArtifactAction-validation.xml
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction-validation.xml
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction-validation.xml
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyAction-saveNetworkProxy-validation.xml
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryAction-validation.xml
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryAction-validation.xml
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/addLegacyArtifactPath.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/addRepository.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/appearance.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/confirmAddRepository.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteNetworkProxy.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/deleteRepository.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editAppearance.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editNetworkProxy.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/editRepository.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/legacyArtifactPath.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/networkProxies.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/repositories.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/components/companyLogo.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/jsp/deleteArtifact.jsp
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/appearance/EditOrganizationInfoActionTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryActionTest.java
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryActionTest.java
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/AppearanceTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/AppearanceTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/AppearanceTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/AppearanceTest.java Tue May 3 02:54:19 2011
@@ -25,15 +25,47 @@ import org.testng.annotations.Test;
@Test( groups = { "appearance" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
public class AppearanceTest extends AbstractArchivaTest
{
- public void testAddAppearanceNullValues()
+ public void testAddAppearanceEmptyValues()
{
goToAppearancePage();
clickLinkWithText( "Edit" );
addEditAppearance( "", "", "" );
assertTextPresent( "You must enter a name" );
}
-
- @Test( dependsOnMethods = { "testAddAppearanceNullValues" })
+
+ @Test( dependsOnMethods = { "testAddAppearanceEmptyValues" })
+ public void testAddAppearanceInvalidValues()
+ {
+ addEditAppearance( "<>~+[ ]'\"" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" );
+ assertTextPresent( "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "You must enter a URL" );
+ assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 2);
+ }
+
+ @Test( dependsOnMethods = { "testAddAppearanceInvalidValues" })
+ public void testAddAppearanceInvalidOrganisationName()
+ {
+ addEditAppearance( "<>~+[ ]'\"" , "http://www.apache.org/" , "http://www.apache.org/images/asf_logo_wide.gifs" );
+ assertTextPresent( "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationName" })
+ public void testAddAppearanceInvalidOrganisationUrl()
+ {
+ addEditAppearance( "The Apache Software Foundation" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" , "http://www.apache.org/images/asf_logo_wide.gifs" );
+ assertTextPresent( "You must enter a URL" );
+ assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 1);
+ }
+
+ @Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationUrl" })
+ public void testAddAppearanceInvalidOrganisationLogo()
+ {
+ addEditAppearance( "The Apache Software Foundation" , "http://www.apache.org/" , "/home/user/abcXYZ0129._/\\~:?!&=-<> ~+[ ]'\"" );
+ assertTextPresent( "You must enter a URL" );
+ assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 1);
+ }
+
+ @Test( dependsOnMethods = { "testAddAppearanceInvalidOrganisationLogo" })
public void testAddAppearanceValidValues()
{
addEditAppearance( "The Apache Software Foundation" , "http://www.apache.org/" , "http://www.apache.org/images/asf_logo_wide.gifs" );
@@ -46,6 +78,6 @@ public class AppearanceTest extends Abst
clickLinkWithText( "Edit" );
addEditAppearance( "Apache Software Foundation" , "http://www.apache.org/" , "http://www.apache.org/images/asf_logo_wide.gifs" );
assertTextPresent( "Apache Software Foundation" );
- }
-
+ }
+
}
\ No newline at end of file
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/ArtifactManagementTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/ArtifactManagementTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/ArtifactManagementTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/ArtifactManagementTest.java Tue May 3 02:54:19 2011
@@ -82,7 +82,7 @@ public class ArtifactManagementTest
addArtifact( getGroupId() , getArtifactId(), getVersion(), getPackaging() , " ", getRepositoryId() );
assertTextPresent( "Please add a file to upload." );
}
-
+
@Test(groups = "requiresUpload")
public void testAddArtifactValidValues()
{
@@ -139,4 +139,25 @@ public class ArtifactManagementTest
deleteArtifact( "delete", "delete", "asdf", "internal");
assertTextPresent( "Invalid version." );
}
+
+ // HTML select should have the proper value, else it will cause a selenium error: Option with label 'customValue' not found
+ public void testDeleteArtifactInvalidValues()
+ {
+ deleteArtifact( "<> \\/~+[ ]'\"", "<> \\/~+[ ]'\"", "<>", "internal");
+ assertTextPresent( "Invalid version." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ public void testDeleteArtifactInvalidGroupId()
+ {
+ deleteArtifact( "<> \\/~+[ ]'\"", "delete", "1.0", "internal");
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ public void testDeleteArtifactInvalidArtifactId()
+ {
+ deleteArtifact( "delete", "<> \\/~+[ ]'\"", "1.0", "internal");
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/LegacySupportTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/LegacySupportTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/LegacySupportTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/LegacySupportTest.java Tue May 3 02:54:19 2011
@@ -72,4 +72,58 @@ public class LegacySupportTest
addLegacyArtifactPath( "test" , "test" , "test" , "1.0-SNAPSHOT" , "testing" , "");
assertTextPresent( "You must enter a type." );
}
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_NullType" })
+ public void testAddLegacyArtifact_InvalidValues()
+ {
+ addLegacyArtifactPath( "<> ~+[ ]'\"" , "<> \\/~+[ ]'\"" , "<> \\/~+[ ]'\"" , "<> \\/~+[ ]'\"" , "<> \\/~+[ ]'\"" , "<> \\/~+[ ]'\"");
+ assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_InvalidValues" })
+ public void testAddLegacyArtifact_InvalidLegacyPath()
+ {
+ addLegacyArtifactPath( "<> ~+[ ]'\"" , "test" , "test" , "1.0-SNAPSHOT" , "testing" , "jar");
+ assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_InvalidLegacyPath" })
+ public void testAddLegacyArtifact_InvalidGroupId()
+ {
+ addLegacyArtifactPath( "test" , "<> \\/~+[ ]'\"" , "test" , "1.0-SNAPSHOT" , "testing" , "jar");
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_InvalidGroupId" })
+ public void testAddLegacyArtifact_InvalidArtifactId()
+ {
+ addLegacyArtifactPath( "test" , "test" , "<> \\/~+[ ]'\"" , "1.0-SNAPSHOT" , "testing" , "jar");
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_InvalidArtifactId" })
+ public void testAddLegacyArtifact_InvalidVersion()
+ {
+ addLegacyArtifactPath( "test" , "test" , "test" , "<> \\/~+[ ]'\"" , "testing" , "jar");
+ assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_InvalidVersion" })
+ public void testAddLegacyArtifact_InvalidType()
+ {
+ addLegacyArtifactPath( "test" , "test" , "test" , "1.0-SNAPSHOT" , "testing" , "<> \\/~+[ ]'\"");
+ assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test( dependsOnMethods = { "testAddLegacyArtifact_InvalidType" })
+ public void testAddLegacyArtifact_InvalidClassifier()
+ {
+ addLegacyArtifactPath( "test" , "test" , "test" , "1.0-SNAPSHOT" , "<> \\/~+[ ]'\"" , "jar");
+ assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/NetworkProxiesTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/NetworkProxiesTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/NetworkProxiesTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/NetworkProxiesTest.java Tue May 3 02:54:19 2011
@@ -59,8 +59,60 @@ public class NetworkProxiesTest
addNetworkProxy( "testing123", "http", "", "8080", "", "");
assertTextPresent( "You must enter a host." );
}
-
+
@Test (dependsOnMethods = { "testAddNetworkProxiesNullHostname" } )
+ public void testAddNetworkProxiesInvalidValues()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "<> \\/~+[ ]'\"", "<> ~+[ ]'\"", "<> ~+[ ]'\"", "0", "<> ~+[ ]'\"", "");
+ assertTextPresent( "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
+ assertTextPresent( "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Port needs to be larger than 1" );
+ assertTextPresent( "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test (dependsOnMethods = { "testAddNetworkProxiesInvalidValues" } )
+ public void testAddNetworkProxiesInvalidIdentifier()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "<> \\/~+[ ]'\"", "http", "localhost", "8080", "", "");
+ assertTextPresent( "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test (dependsOnMethods = { "testAddNetworkProxiesInvalidIdentifier" } )
+ public void testAddNetworkProxiesInvalidProtocol()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "testing123", "<> ~+[ ]'\"", "localhost", "8080", "", "");
+ assertTextPresent( "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
+ }
+
+ @Test (dependsOnMethods = { "testAddNetworkProxiesInvalidProtocol" } )
+ public void testAddNetworkProxiesInvalidHostname()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "testing123", "http", "<> ~+[ ]'\"", "8080", "", "");
+ assertTextPresent( "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ }
+
+ @Test (dependsOnMethods = { "testAddNetworkProxiesInvalidHostname" } )
+ public void testAddNetworkProxiesInvalidPort()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "testing123", "http", "localhost", "0", "", "");
+ assertTextPresent( "Port needs to be larger than 1" );
+ }
+
+ @Test (dependsOnMethods = { "testAddNetworkProxiesInvalidPort" } )
+ public void testAddNetworkProxiesInvalidUsername()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "testing123", "http", "localhost", "8080", "<> ~+[ ]'\"", "");
+ assertTextPresent( "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test (dependsOnMethods = { "testAddNetworkProxiesInvalidUsername" } )
public void testAddNetworkProxiesValidValues()
{
goToNetworkProxiesPage();
@@ -68,7 +120,7 @@ public class NetworkProxiesTest
assertPage( "Apache Archiva \\ Administration - Network Proxies" );
assertTextPresent( "testing123" );
}
-
+
@Test (dependsOnMethods = { "testAddNetworkProxiesValidValues" } )
public void testEditNetworkProxy()
{
@@ -92,5 +144,5 @@ public class NetworkProxiesTest
assertPage( "Apache Archiva \\ Administration - Network Proxies" );
assertTextPresent( "testing123" );
}
-
+
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/RepositoryTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/RepositoryTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/RepositoryTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/RepositoryTest.java Tue May 3 02:54:19 2011
@@ -35,9 +35,66 @@ public class RepositoryTest
assertTextPresent( "Managed Repository Sample 1" );
assertRepositoriesPage();
}
-
- @Test(dependsOnMethods = { "testAddManagedRepoValidValues" } )
- public void testAddManagedRepoInvalidValues()
+
+ @Test(dependsOnMethods = { "testAddManagedRepoValidValues" } )
+ public void testAddManagedRepoInvalidValues()
+ {
+ goToRepositoriesPage();
+ getSelenium().open( "/archiva/admin/addRepository.action" ); ;
+ addManagedRepository( "<> \\/~+[ ]'\"", "<>\\~+[]'\"" , "<> ~+[ ]'\"" , "<> ~+[ ]'\"", "Maven 2.x Repository", "", "-1", "101" );
+ assertTextPresent( "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100.");
+ assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0.");
+ assertTextPresent( "Invalid cron expression." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidValues" } )
+ public void testAddManagedRepoInvalidIdentifier()
+ {
+ addManagedRepository( "<> \\/~+[ ]'\"", "name" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "1" );
+ assertTextPresent( "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidIdentifier" } )
+ public void testAddManagedRepoInvalidRepoName()
+ {
+ addManagedRepository( "identifier", "<>\\~+[]'\"" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "1" );
+ assertTextPresent( "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidRepoName" } )
+ public void testAddManagedRepoInvalidDirectory()
+ {
+ addManagedRepository( "identifier", "name" , "<> ~+[ ]'\"" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "1" );
+ assertTextPresent( "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidDirectory" } )
+ public void testAddManagedRepoInvalidIndexDir()
+ {
+ addManagedRepository( "identifier", "name" , "/home" , "<> ~+[ ]'\"", "Maven 2.x Repository", "0 0 * * * ?", "1", "1" );
+ assertTextPresent( "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidIndexDir" } )
+ public void testAddManagedRepoInvalidRetentionCount()
+ {
+ addManagedRepository( "identifier", "name" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "101" );
+ assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidRetentionCount" } )
+ public void testAddManagedRepoInvalidDaysOlder()
+ {
+ addManagedRepository( "identifier", "name" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "-1", "1" );
+ assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0." );
+ }
+
+ @Test(dependsOnMethods = { "testAddManagedRepoInvalidDaysOlder" } )
+ public void testAddManagedRepoBlankValues()
{
goToRepositoriesPage();
getSelenium().open( "/archiva/admin/addRepository.action" ); ;
@@ -48,7 +105,7 @@ public class RepositoryTest
assertTextPresent( "Invalid cron expression." );
}
- @Test(dependsOnMethods = { "testAddManagedRepoInvalidValues" } )
+ @Test(dependsOnMethods = { "testAddManagedRepoBlankValues" } )
public void testAddManagedRepoNoIdentifier()
{
addManagedRepository( "", "name" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "", "" );
@@ -86,8 +143,62 @@ public class RepositoryTest
assertTextPresent( "Managed Repository Sample" );
}
+ @Test(dependsOnMethods = { "testAddManagedRepoForEdit" } )
+ public void testEditManagedRepoInvalidValues()
+ {
+ editManagedRepository("<>\\~+[]'\"" , "<> ~+[ ]'\"" , "<> ~+[ ]'\"", "Maven 2.x Repository", "", "-1", "101");
+ assertTextPresent( "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100.");
+ assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0.");
+ assertTextPresent( "Invalid cron expression." );
+ }
+
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidValues" } )
+ public void testEditManagedRepoInvalidRepoName()
+ {
+ editManagedRepository("<>\\~+[]'\"" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "1");
+ assertTextPresent( "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidRepoName" } )
+ public void testEditManagedRepoInvalidDirectory()
+ {
+ editManagedRepository("name" , "<> ~+[ ]'\"" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "1");
+ assertTextPresent( "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidDirectory" } )
+ public void testEditManagedRepoInvalidIndexDir()
+ {
+ editManagedRepository("name" , "/home" , "<> ~+[ ]'\"", "Maven 2.x Repository", "0 0 * * * ?", "1", "1");
+ assertTextPresent( "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ }
+
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidIndexDir" } )
+ public void testEditManagedRepoInvalidCron()
+ {
+ editManagedRepository("name" , "/home" , "/.index", "Maven 2.x Repository", "", "1", "1");
+ assertTextPresent( "Invalid cron expression." );
+ }
+
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidCron" } )
+ public void testEditManagedRepoInvalidRetentionCount()
+ {
+ editManagedRepository("name" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "1", "101");
+ assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100." );
+ }
+
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidRetentionCount" } )
+ public void testEditManagedRepoInvalidDaysOlder()
+ {
+ editManagedRepository("name" , "/home" , "/.index", "Maven 2.x Repository", "0 0 * * * ?", "-1", "1");
+ assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0." );
+ }
+
//TODO
- @Test(dependsOnMethods = { "testAddManagedRepoForEdit" } )
+ @Test(dependsOnMethods = { "testEditManagedRepoInvalidDaysOlder" } )
public void testEditManagedRepo()
{
editManagedRepository( "repository.name" , "Managed Repo" );
@@ -140,11 +251,11 @@ public class RepositoryTest
addRemoteRepository( "remoterepo" , "Remote Repository Sample" , "http://repository.codehaus.org/org/codehaus/mojo/" , "" , "" , "" , "Maven 2.x Repository" );
assertTextPresent( "Remote Repository Sample" );
}
-
+
// *** BUNDLED REPOSITORY TEST ***
-
- @Test ( dependsOnMethods = { "testWithCorrectUsernamePassword" }, alwaysRun = true )
- public void testBundledRepository()
+
+ @Test ( dependsOnMethods = { "testWithCorrectUsernamePassword" }, alwaysRun = true )
+ public void testBundledRepository()
{
String repo1 = baseUrl + "repository/internal/";
String repo2 = baseUrl + "repository/snapshots/";
@@ -152,7 +263,7 @@ public class RepositoryTest
assertRepositoryAccess( repo1 );
assertRepositoryAccess( repo2 );
- getSelenium().open( "/archiva" );
+ getSelenium().open( "/archiva" );
}
private void assertRepositoryAccess( String repo )
Added: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/XSSSecurityTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/XSSSecurityTest.java?rev=1098897&view=auto
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/XSSSecurityTest.java (added)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/XSSSecurityTest.java Tue May 3 02:54:19 2011
@@ -0,0 +1,190 @@
+package org.apache.archiva.web.test;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.testng.annotations.Test;
+import org.apache.archiva.web.test.parent.AbstractArchivaTest;
+
+/**
+ * Test all actions affected with XSS security issue.
+ */
+@Test( groups = { "xss" }, dependsOnMethods = { "testWithCorrectUsernamePassword" }, sequential = true )
+public class XSSSecurityTest
+ extends AbstractArchivaTest
+{
+ public void testDeleteArtifactImmunityToURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/deleteArtifact!doDelete.action?groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&repositoryId=\"/>1<script>alert('xss')</script>");
+ assertDeleteArtifactPage();
+ assertTextPresent( "Invalid version." );
+ assertTextPresent( "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertElementValue("//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//select[@id='deleteArtifact_repositoryId']", "internal");
+ }
+
+ public void testDeleteArtifactImmunityToEncodedURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/deleteArtifact!doDelete.action?groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&repositoryId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
+ assertDeleteArtifactPage();
+ assertTextPresent( "Invalid version." );
+ assertTextPresent( "User is not authorized to delete artifacts in repository '\"/>1<script>alert('xss')</script>'." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertElementValue("//input[@id='deleteArtifact_groupId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='deleteArtifact_artifactId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='deleteArtifact_version']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//select[@id='deleteArtifact_repositoryId']", "internal");
+ }
+
+ public void testEditAppearanceImmunityToURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/admin/configureAppearance.action?organisationName=<script>alert('xss')</script>&organisationUrl=<script>alert('xss')</script>&organisationLogo=<script>alert('xss')</script>");
+ assertAppearancePage();
+ assertXpathCount("//td[text()=\"<script>alert('xss')</script>\"]", 1);
+ assertXpathCount("//code[text()=\"<script>alert('xss')</script>\"]", 2);
+
+ }
+
+ public void testEditAppearanceImmunityToEncodedURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/admin/configureAppearance.action?organisationName=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationUrl=%3Cscript%3Ealert('xss')%3C%2Fscript%3E&organisationLogo=%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
+ assertAppearancePage();
+ assertXpathCount("//td[text()=\"<script>alert('xss')</script>\"]", 1);
+ assertXpathCount("//code[text()=\"<script>alert('xss')</script>\"]", 2);
+ }
+
+ public void testAddLegacyArtifactImmunityToURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=\"/>1<script>alert('xss')</script>&groupId=\"/>1<script>alert('xss')</script>&artifactId=\"/>1<script>alert('xss')</script>&version=\"/>1<script>alert('xss')</script>&classifier=\"/>1<script>alert('xss')</script>&type=\"/>1<script>alert('xss')</script>");
+ assertAddLegacyArtifactPathPage();
+ assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertElementValue("//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>");
+ }
+
+ public void testAddLegacyArtifactImmunityToEncodedURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&groupId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&artifactId=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&version=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&classifier=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E&type=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
+ assertAddLegacyArtifactPathPage();
+ assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertElementValue("//input[@id='addLegacyArtifactPath_legacyArtifactPath_path']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_artifactId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_version']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_groupId']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_classifier']", "\"/>1<script>alert('xss')</script>");
+ assertElementValue("//input[@id='addLegacyArtifactPath_type']", "\"/>1<script>alert('xss')</script>");
+ }
+
+ public void testDeleteNetworkProxyImmunityToURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=\"/>1<script>alert('xss')</script>");
+ assertTextPresent( "Security Alert - Invalid Token Found" );
+ assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+ }
+
+ public void testDeleteNetworkProxyImmunityToEncodedURLCrossSiteScripting()
+ {
+ getSelenium().open( "/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=%22%2F%3E1%3Cscript%3Ealert('xss')%3C%2Fscript%3E");
+ assertTextPresent( "Security Alert - Invalid Token Found" );
+ assertTextPresent( "Possible CSRF attack detected! Invalid token found in the request." );
+ }
+
+ public void testAddManagedRepositoryImmunityToInputFieldCrossSiteScripting()
+ {
+ goToRepositoriesPage();
+ getSelenium().open( "/archiva/admin/addRepository.action" );
+ addManagedRepository( "test\"><script>alert('xss')</script>", "test\"><script>alert('xss')</script>" , "test\"><script>alert('xss')</script>" , "test\"><script>alert('xss')</script>", "Maven 2.x Repository", "", "-1", "101" );
+ // xss inputs are blocked by validation.
+ assertTextPresent( "Identifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Repository Name must only contain alphanumeric characters, white-spaces(' '), forward-slashes(/), open-parenthesis('('), close-parenthesis(')'), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Index directory must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Repository Purge By Retention Count needs to be between 1 and 100.");
+ assertTextPresent( "Repository Purge By Days Older Than needs to be larger than 0.");
+ assertTextPresent( "Invalid cron expression." );
+ }
+
+ public void testEditAppearanceImmunityToInputFieldCrossSiteScripting()
+ {
+ goToAppearancePage();
+ clickLinkWithText( "Edit" );
+ addEditAppearance( "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" );
+ // xss inputs are blocked by validation.
+ assertTextPresent( "Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "You must enter a URL" );
+ assertXpathCount("//span[@class='errorMessage' and text()='You must enter a URL']", 2);
+ }
+
+ public void testEditAppearanceImmunityToCrossSiteScriptingRendering()
+ {
+ goToAppearancePage();
+ clickLinkWithText( "Edit" );
+ addEditAppearance( "xss" , "http://\">test<script>alert(\"xss\")</script>" , "http://\">test<script>alert(\"xss\")</script>" );
+ // escaped html/url prevents cross-site scripting exploits
+ assertXpathCount("//td[text()=\"xss\"]", 1);
+ assertXpathCount("//code[text()='http://\">test<script>alert(\"xss\")</script>']", 2);
+ }
+
+ public void testAddLegacyArtifactPathImmunityToInputFieldCrossSiteScripting()
+ {
+ goToLegacySupportPage();
+ clickLinkWithText( "Add" );
+ addLegacyArtifactPath( "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>" , "test<script>alert('xss')</script>");
+ // xss inputs are blocked by validation.
+ assertTextPresent( "Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ }
+
+ public void testAddNetworkProxyImmunityToInputFieldCrossSiteScripting()
+ {
+ goToNetworkProxiesPage();
+ addNetworkProxy( "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "test<script>alert('xss')</script>", "");
+ // xss inputs are blocked by validation.
+ assertTextPresent( "Proxy id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-)." );
+ assertTextPresent( "Protocol must only contain alphanumeric characters, forward-slashes(/), back-slashes(\\), dots(.), colons(:), and dashes(-)." );
+ assertTextPresent( "Host must only contain alphanumeric characters, equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-)." );
+ assertTextPresent( "Invalid field value for field \"proxy.port\"." );
+ assertTextPresent( "Username must only contain alphanumeric characters, at's(@), forward-slashes(/), back-slashes(\\), underscores(_), dots(.), and dashes(-)." );
+ }
+}
\ No newline at end of file
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArchivaTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArchivaTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArchivaTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArchivaTest.java Tue May 3 02:54:19 2011
@@ -552,6 +552,104 @@ public abstract class AbstractArchivaTes
clickButtonWithValue( "Add Repository" );
}
+ // artifact management
+ public void assertDeleteArtifactPage()
+ {
+ assertPage( "Apache Archiva \\ Delete Artifact" );
+ assertTextPresent( "Delete Artifact" );
+ assertTextPresent( "Group Id*:" );
+ assertTextPresent( "Artifact Id*:" );
+ assertTextPresent( "Version*:" );
+ assertTextPresent( "Repository Id:" );
+ assertElementPresent( "groupId" );
+ assertElementPresent( "artifactId" );
+ assertElementPresent( "version" );
+ assertElementPresent( "repositoryId" );
+ assertButtonWithValuePresent( "Submit" );
+ }
+
+ // network proxies
+ public void goToNetworkProxiesPage()
+ {
+ clickLinkWithText( "Network Proxies" );
+ assertNetworkProxiesPage();
+ }
+
+ public void assertNetworkProxiesPage()
+ {
+ assertPage( "Apache Archiva \\ Administration - Network Proxies" );
+ assertTextPresent( "Administration - Network Proxies" );
+ assertTextPresent( "Network Proxies" );
+ assertLinkPresent( "Add Network Proxy" );
+ }
+
+ public void addNetworkProxy( String identifier, String protocol, String hostname, String port, String username, String password )
+ {
+ //goToNetworkProxiesPage();
+ clickLinkWithText( "Add Network Proxy" );
+ assertAddNetworkProxy();
+ setFieldValue( "proxy.id" , identifier );
+ setFieldValue( "proxy.protocol" , protocol );
+ setFieldValue( "proxy.host" , hostname );
+ setFieldValue( "proxy.port" , port );
+ setFieldValue( "proxy.username" , username );
+ setFieldValue( "proxy.password" , password );
+ clickButtonWithValue( "Save Network Proxy" );
+ }
+
+ public void assertAddNetworkProxy()
+ {
+ assertPage( "Apache Archiva \\ Admin: Add Network Proxy" );
+ assertTextPresent( "Admin: Add Network Proxy" );
+ assertTextPresent( "Add network proxy:" );
+ assertTextPresent( "Identifier*:" );
+ assertTextPresent( "Protocol*:" );
+ assertTextPresent( "Hostname*:" );
+ assertTextPresent( "Port*:" );
+ assertTextPresent( "Username:" );
+ assertTextPresent( "Password:" );
+ assertButtonWithValuePresent( "Save Network Proxy" );
+ }
+
+ // Legacy Support
+ public void goToLegacySupportPage()
+ {
+ getSelenium().open( "/archiva/admin/legacyArtifactPath.action" );
+ assertLegacySupportPage();
+ }
+
+ public void assertLegacySupportPage()
+ {
+ assertPage( "Apache Archiva \\ Administration - Legacy Support" );
+ assertTextPresent( "Administration - Legacy Artifact Path Resolution" );
+ assertTextPresent( "Path Mappings" );
+ assertLinkPresent( "Add" );
+ }
+
+ public void addLegacyArtifactPath( String path, String groupId, String artifactId, String version, String classifier, String type)
+ {
+ assertAddLegacyArtifactPathPage();
+ setFieldValue( "legacyArtifactPath.path" , path );
+ setFieldValue( "groupId" , groupId );
+ setFieldValue( "artifactId" , artifactId );
+ setFieldValue( "version" , version );
+ setFieldValue( "classifier" , classifier );
+ setFieldValue( "type" , type );
+ clickButtonWithValue( "Add Legacy Artifact Path" );
+ }
+
+ public void assertAddLegacyArtifactPathPage()
+ {
+ assertPage( "Apache Archiva \\ Admin: Add Legacy Artifact Path" );
+ assertTextPresent( "Admin: Add Legacy Artifact Path" );
+ assertTextPresent( "Enter the legacy path to map to a particular artifact reference, then adjust the fields as necessary." );
+ String element = "addLegacyArtifactPath_legacyArtifactPath_path,addLegacyArtifactPath_groupId,addLegacyArtifactPath_artifactId,addLegacyArtifactPath_version,addLegacyArtifactPath_classifier,addLegacyArtifactPath_type";
+ String[] arrayElement = element.split( "," );
+ for ( String arrayelement : arrayElement )
+ assertElementPresent( arrayelement );
+ assertButtonWithValuePresent( "Add Legacy Artifact Path" );
+ }
+
protected void logout()
{
clickLinkWithText("Logout");
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArtifactManagementTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArtifactManagementTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArtifactManagementTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractArtifactManagementTest.java Tue May 3 02:54:19 2011
@@ -55,58 +55,4 @@ public abstract class AbstractArtifactMa
selectValue( "repositoryId" , repositoryId );
clickButtonWithValue( "Submit" ) ;
}
-
- public void assertDeleteArtifactPage()
- {
- assertPage( "Apache Archiva \\ Delete Artifact" );
- assertTextPresent( "Delete Artifact" );
- assertTextPresent( "Group Id*:" );
- assertTextPresent( "Artifact Id*:" );
- assertTextPresent( "Version*:" );
- assertTextPresent( "Repository Id:" );
- assertElementPresent( "groupId" );
- assertElementPresent( "artifactId" );
- assertElementPresent( "version" );
- assertElementPresent( "repositoryId" );
- assertButtonWithValuePresent( "Submit" );
- }
-
- // Legacy Support
- public void goToLegacySupportPage()
- {
- getSelenium().open( "/archiva/admin/legacyArtifactPath.action" );
- assertLegacySupportPage();
- }
-
- public void assertLegacySupportPage()
- {
- assertPage( "Apache Archiva \\ Administration - Legacy Support" );
- assertTextPresent( "Administration - Legacy Artifact Path Resolution" );
- assertTextPresent( "Path Mappings" );
- assertLinkPresent( "Add" );
- }
-
- public void addLegacyArtifactPath( String path, String groupId, String artifactId, String version, String classifier, String type)
- {
- assertAddLegacyArtifactPathPage();
- setFieldValue( "legacyArtifactPath.path" , path );
- setFieldValue( "groupId" , groupId );
- setFieldValue( "artifactId" , artifactId );
- setFieldValue( "version" , version );
- setFieldValue( "classifier" , classifier );
- setFieldValue( "type" , type );
- clickButtonWithValue( "Add Legacy Artifact Path" );
- }
-
- public void assertAddLegacyArtifactPathPage()
- {
- assertPage( "Apache Archiva \\ Admin: Add Legacy Artifact Path" );
- assertTextPresent( "Admin: Add Legacy Artifact Path" );
- assertTextPresent( "Enter the legacy path to map to a particular artifact reference, then adjust the fields as necessary." );
- String element = "addLegacyArtifactPath_legacyArtifactPath_path,addLegacyArtifactPath_groupId,addLegacyArtifactPath_artifactId,addLegacyArtifactPath_version,addLegacyArtifactPath_classifier,addLegacyArtifactPath_type";
- String[] arrayElement = element.split( "," );
- for ( String arrayelement : arrayElement )
- assertElementPresent( arrayelement );
- assertButtonWithValuePresent( "Add Legacy Artifact Path" );
- }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractRepositoryTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractRepositoryTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractRepositoryTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractRepositoryTest.java Tue May 3 02:54:19 2011
@@ -177,47 +177,6 @@ public abstract class AbstractRepository
///////////////////////////////
// network proxies
///////////////////////////////
- public void goToNetworkProxiesPage()
- {
- clickLinkWithText( "Network Proxies" );
- assertNetworkProxiesPage();
- }
-
- public void assertNetworkProxiesPage()
- {
- assertPage( "Apache Archiva \\ Administration - Network Proxies" );
- assertTextPresent( "Administration - Network Proxies" );
- assertTextPresent( "Network Proxies" );
- assertLinkPresent( "Add Network Proxy" );
- }
-
- public void assertAddNetworkProxy()
- {
- assertPage( "Apache Archiva \\ Admin: Add Network Proxy" );
- assertTextPresent( "Admin: Add Network Proxy" );
- assertTextPresent( "Add network proxy:" );
- assertTextPresent( "Identifier*:" );
- assertTextPresent( "Protocol*:" );
- assertTextPresent( "Hostname*:" );
- assertTextPresent( "Port*:" );
- assertTextPresent( "Username:" );
- assertTextPresent( "Password:" );
- assertButtonWithValuePresent( "Save Network Proxy" );
- }
-
- public void addNetworkProxy( String identifier, String protocol, String hostname, String port, String username, String password )
- {
- //goToNetworkProxiesPage();
- clickLinkWithText( "Add Network Proxy" );
- assertAddNetworkProxy();
- setFieldValue( "proxy.id" , identifier );
- setFieldValue( "proxy.protocol" , protocol );
- setFieldValue( "proxy.host" , hostname );
- setFieldValue( "proxy.port" , port );
- setFieldValue( "proxy.username" , username );
- setFieldValue( "proxy.password" , password );
- clickButtonWithValue( "Save Network Proxy" );
- }
public void editNetworkProxies( String fieldName, String value)
{
@@ -299,6 +258,21 @@ public abstract class AbstractRepository
//TODO
clickButtonWithValue( "Update Repository" );
}
+
+ public void editManagedRepository(String name, String directory, String indexDirectory, String type, String cron, String daysOlder, String retentionCount)
+ {
+ goToRepositoriesPage();
+ clickLinkWithXPath( "//div[@id='contentArea']/div/div[5]/div[1]/a[1]/img" );
+ assertPage( "Apache Archiva \\ Admin: Edit Managed Repository" );
+ setFieldValue( "repository.name" , name );
+ setFieldValue( "repository.location" , directory );
+ setFieldValue( "repository.indexDir" , indexDirectory );
+ selectValue( "repository.layout", type );
+ setFieldValue( "repository.refreshCronExpression" , cron );
+ setFieldValue( "repository.daysOlder" , daysOlder );
+ setFieldValue( "repository.retentionCount" , retentionCount );
+ clickButtonWithValue( "Update Repository" );
+ }
public void deleteManagedRepository()
{
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractSeleniumTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractSeleniumTest.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractSeleniumTest.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp-test/src/test/testng/org/apache/archiva/web/test/parent/AbstractSeleniumTest.java Tue May 3 02:54:19 2011
@@ -399,5 +399,14 @@ public abstract class AbstractSeleniumTe
{
Assert.assertFalse( getSelenium().isChecked( locator ) );
}
-
+
+ public void assertXpathCount(String locator, int expectedCount)
+ {
+ Assert.assertEquals( getSelenium().getXpathCount(locator).intValue(), expectedCount );
+ }
+
+ public void assertElementValue(String locator, String expectedValue)
+ {
+ Assert.assertEquals(getSelenium().getValue(locator), expectedValue);
+ }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java Tue May 3 02:54:19 2011
@@ -60,6 +60,7 @@ import org.apache.maven.archiva.security
import com.opensymphony.xwork2.Preparable;
import com.opensymphony.xwork2.Validateable;
+import org.apache.commons.lang.StringUtils;
/**
* Delete an artifact. Metadata will be updated if one exists, otherwise it would be created.
@@ -381,6 +382,9 @@ public class DeleteArtifactAction
{
addActionError( e.getMessage() );
}
+
+ // trims all request parameter values, since the trailing/leading white-spaces are ignored during validation.
+ trimAllRequestParameterValues();
}
private List<String> getManagableRepos()
@@ -404,4 +408,27 @@ public class DeleteArtifactAction
}
return Collections.emptyList();
}
+
+ private void trimAllRequestParameterValues()
+ {
+ if(StringUtils.isNotEmpty(groupId))
+ {
+ groupId = groupId.trim();
+ }
+
+ if(StringUtils.isNotEmpty(artifactId))
+ {
+ artifactId = artifactId.trim();
+ }
+
+ if(StringUtils.isNotEmpty(version))
+ {
+ version = version.trim();
+ }
+
+ if(StringUtils.isNotEmpty(repositoryId))
+ {
+ repositoryId = repositoryId.trim();
+ }
+ }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction.java Tue May 3 02:54:19 2011
@@ -19,6 +19,8 @@ package org.apache.maven.archiva.web.act
* under the License.
*/
+import com.opensymphony.xwork2.Validateable;
+import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.configuration.Configuration;
import org.apache.maven.archiva.configuration.IndeterminateConfigurationException;
import org.apache.maven.archiva.configuration.OrganisationInformation;
@@ -38,7 +40,7 @@ import org.codehaus.redback.integration.
*/
public class EditOrganisationInfoAction
extends AbstractAppearanceAction
- implements SecureAction
+ implements SecureAction, Validateable
{
@Override
public String execute()
@@ -70,4 +72,28 @@ public class EditOrganisationInfoAction
bundle.addRequiredAuthorization( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION, Resource.GLOBAL );
return bundle;
}
+
+ public void validate()
+ {
+ // trim all unecessary trailing/leading white-spaces; always put this statement before the closing braces(after all validation).
+ trimAllRequestParameterValues();
+ }
+
+ private void trimAllRequestParameterValues()
+ {
+ if(StringUtils.isNotEmpty(super.getOrganisationName()))
+ {
+ super.setOrganisationName(super.getOrganisationName().trim());
+ }
+
+ if(StringUtils.isNotEmpty(super.getOrganisationUrl()))
+ {
+ super.setOrganisationUrl(super.getOrganisationUrl().trim());
+ }
+
+ if(StringUtils.isNotEmpty(super.getOrganisationLogo()))
+ {
+ super.setOrganisationLogo(super.getOrganisationLogo().trim());
+ }
+ }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction.java Tue May 3 02:54:19 2011
@@ -28,6 +28,8 @@ import org.apache.maven.archiva.reposito
import org.codehaus.plexus.registry.RegistryException;
import com.opensymphony.xwork2.Preparable;
+import com.opensymphony.xwork2.Validateable;
+import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.web.action.PlexusActionSupport;
/**
@@ -38,7 +40,7 @@ import org.apache.maven.archiva.web.acti
*/
public class AddLegacyArtifactPathAction
extends PlexusActionSupport
- implements Preparable
+ implements Preparable, Validateable
{
/**
* @plexus.requirement
@@ -110,6 +112,12 @@ public class AddLegacyArtifactPathAction
this.legacyArtifactPath = legacyArtifactPath;
}
+ public void validate()
+ {
+ // trim all unecessary trailing/leading white-spaces; always put this statement before the closing braces(after all validation).
+ trimAllRequestParameterValues();
+ }
+
protected String saveConfiguration( Configuration configuration )
{
try
@@ -131,6 +139,39 @@ public class AddLegacyArtifactPathAction
return SUCCESS;
}
+ private void trimAllRequestParameterValues()
+ {
+ if(StringUtils.isNotEmpty(legacyArtifactPath.getPath()))
+ {
+ legacyArtifactPath.setPath(legacyArtifactPath.getPath().trim());
+ }
+
+ if(StringUtils.isNotEmpty(groupId))
+ {
+ groupId = groupId.trim();
+ }
+
+ if(StringUtils.isNotEmpty(artifactId))
+ {
+ artifactId = artifactId.trim();
+ }
+
+ if(StringUtils.isNotEmpty(version))
+ {
+ version = version.trim();
+ }
+
+ if(StringUtils.isNotEmpty(classifier))
+ {
+ classifier = classifier.trim();
+ }
+
+ if(StringUtils.isNotEmpty(type))
+ {
+ type = type.trim();
+ }
+ }
+
public String getGroupId()
{
return groupId;
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyAction.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyAction.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyAction.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/networkproxies/ConfigureNetworkProxyAction.java Tue May 3 02:54:19 2011
@@ -20,6 +20,7 @@ package org.apache.maven.archiva.web.act
*/
import com.opensymphony.xwork2.Preparable;
+import com.opensymphony.xwork2.Validateable;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.functors.NotPredicate;
import org.apache.commons.lang.StringUtils;
@@ -44,7 +45,7 @@ import org.codehaus.redback.integration.
*/
public class ConfigureNetworkProxyAction
extends PlexusActionSupport
- implements SecureAction, Preparable
+ implements SecureAction, Preparable, Validateable
{
/**
* @plexus.requirement
@@ -169,6 +170,12 @@ public class ConfigureNetworkProxyAction
return saveConfiguration();
}
+ public void validate()
+ {
+ // trim all unecessary trailing/leading white-spaces; always put this statement before the closing braces(after all validation).
+ trimAllRequestParameterValues();
+ }
+
public void setMode( String mode )
{
this.mode = mode;
@@ -225,4 +232,32 @@ public class ConfigureNetworkProxyAction
return SUCCESS;
}
+
+ private void trimAllRequestParameterValues()
+ {
+ if(StringUtils.isNotEmpty(proxy.getId()))
+ {
+ proxy.setId(proxy.getId().trim());
+ }
+
+ if(StringUtils.isNotEmpty(proxy.getHost()))
+ {
+ proxy.setHost(proxy.getHost().trim());
+ }
+
+ if(StringUtils.isNotEmpty(proxy.getPassword()))
+ {
+ proxy.setPassword(proxy.getPassword().trim());
+ }
+
+ if(StringUtils.isNotEmpty(proxy.getProtocol()))
+ {
+ proxy.setProtocol(proxy.getProtocol().trim());
+ }
+
+ if(StringUtils.isNotEmpty(proxy.getUsername()))
+ {
+ proxy.setUsername(proxy.getUsername().trim());
+ }
+ }
}
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryAction.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryAction.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryAction.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/AddManagedRepositoryAction.java Tue May 3 02:54:19 2011
@@ -29,6 +29,7 @@ import org.codehaus.plexus.redback.role.
import org.codehaus.plexus.scheduler.CronExpressionValidator;
import java.io.File;
import java.io.IOException;
+import org.apache.commons.lang.StringUtils;
/**
* AddManagedRepositoryAction
@@ -135,6 +136,32 @@ public class AddManagedRepositoryAction
{
addFieldError( "repository.refreshCronExpression", "Invalid cron expression." );
}
+
+ // trim all unecessary trailing/leading white-spaces; always put this statement before the closing braces(after all validation).
+ trimAllRequestParameterValues();
+ }
+
+ private void trimAllRequestParameterValues()
+ {
+ if(StringUtils.isNotEmpty(repository.getId()))
+ {
+ repository.setId(repository.getId().trim());
+ }
+
+ if(StringUtils.isNotEmpty(repository.getName()))
+ {
+ repository.setName(repository.getName().trim());
+ }
+
+ if(StringUtils.isNotEmpty(repository.getLocation()))
+ {
+ repository.setLocation(repository.getLocation().trim());
+ }
+
+ if(StringUtils.isNotEmpty(repository.getIndexDir()))
+ {
+ repository.setIndexDir(repository.getIndexDir().trim());
+ }
}
public ManagedRepositoryConfiguration getRepository()
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryAction.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryAction.java?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryAction.java (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/repositories/EditManagedRepositoryAction.java Tue May 3 02:54:19 2011
@@ -167,6 +167,8 @@ public class EditManagedRepositoryAction
{
addFieldError( "repository.refreshCronExpression", "Invalid cron expression." );
}
+
+ trimAllRequestParameterValues();
}
private void resetStatistics( boolean reset )
@@ -189,7 +191,30 @@ public class EditManagedRepositoryAction
repoContentStatsDao.deleteRepositoryContentStatistics( stats );
}
}
- }
+ }
+
+ private void trimAllRequestParameterValues()
+ {
+ if(StringUtils.isNotEmpty(repository.getId()))
+ {
+ repository.setId(repository.getId().trim());
+ }
+
+ if(StringUtils.isNotEmpty(repository.getName()))
+ {
+ repository.setName(repository.getName().trim());
+ }
+
+ if(StringUtils.isNotEmpty(repository.getLocation()))
+ {
+ repository.setLocation(repository.getLocation().trim());
+ }
+
+ if(StringUtils.isNotEmpty(repository.getIndexDir()))
+ {
+ repository.setIndexDir(repository.getIndexDir().trim());
+ }
+ }
public String getRepoid()
{
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/DeleteArtifactAction-validation.xml
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/DeleteArtifactAction-validation.xml?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/DeleteArtifactAction-validation.xml (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/DeleteArtifactAction-validation.xml Tue May 3 02:54:19 2011
@@ -21,20 +21,40 @@
<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator 1.0.2//EN"
"http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd">
+<!-- validate temporarily-trimmed inputs, actual values are then carried over to the action class to be trimmed once more. -->
<validators>
<field name="groupId">
<field-validator type="requiredstring">
<message>You must enter a groupId.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]+$</param>
+ <message>Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
<field name="artifactId">
<field-validator type="requiredstring">
<message>You must enter an artifactId.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]+$</param>
+ <message>Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
+ <!-- version's validation is inside the validate() method of the action class -->
<field name="version">
<field-validator type="requiredstring">
<message>You must enter a version.</message>
</field-validator>
- </field>
+ </field>
+ <field name="repositoryId">
+ <!-- no requiredstring validation, because there was none before(being consistent). -->
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]*$</param>
+ <message>Repository id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
+ </field>
</validators>
\ No newline at end of file
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction-validation.xml
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction-validation.xml?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction-validation.xml (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/appearance/EditOrganisationInfoAction-validation.xml Tue May 3 02:54:19 2011
@@ -26,6 +26,11 @@
<field-validator type="requiredstring">
<message>You must enter a name</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^([-a-zA-Z0-9._/~:?!&=\\]|\s)+$</param>
+ <message>Organisation name must only contain alphanumeric characters, white-spaces(' '), equals(=), question-marks(?), exclamation-points(!), ampersands(&), forward-slashes(/), back-slashes(\), underscores(_), dots(.), colons(:), tildes(~), and dashes(-).</message>
+ </field-validator>
</field>
<field name="organisationUrl">
<field-validator type="url">
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction-validation.xml
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction-validation.xml?rev=1098897&r1=1098896&r2=1098897&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction-validation.xml (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/org/apache/maven/archiva/web/action/admin/legacy/AddLegacyArtifactPathAction-validation.xml Tue May 3 02:54:19 2011
@@ -21,30 +21,64 @@
<!DOCTYPE validators PUBLIC "-//OpenSymphony Group//XWork Validator 1.0.2//EN"
"http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd">
+<!-- validate temporarily-trimmed inputs, actual values are then carried over to the action class to be trimmed once more. -->
<validators>
<field name="legacyArtifactPath.path">
<field-validator type="requiredstring">
<message>You must enter a legacy path.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[-a-zA-Z0-9._/\\]+$</param>
+ <message>Legacy path must only contain alphanumeric characters, forward-slashes(/), back-slashes(\), underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
<field name="groupId">
<field-validator type="requiredstring">
<message>You must enter a groupId.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]+$</param>
+ <message>Group id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
<field name="artifactId">
<field-validator type="requiredstring">
<message>You must enter an artifactId.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]+$</param>
+ <message>Artifact id must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
<field name="version">
<field-validator type="requiredstring">
<message>You must enter a version.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]+$</param>
+ <message>Version must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
+ </field>
+ <field name="classifier">
+ <!-- no requiredstring validation, because there was none before(being consistent). -->
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]*$</param>
+ <message>Classifier must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
<field name="type">
<field-validator type="requiredstring">
<message>You must enter a type.</message>
</field-validator>
+ <field-validator type="regex">
+ <param name="trim">true</param>
+ <param name="expression">^[a-zA-Z0-9._-]+$</param>
+ <message>Type must only contain alphanumeric characters, underscores(_), dots(.), and dashes(-).</message>
+ </field-validator>
</field>
</validators>
\ No newline at end of file