You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@continuum.apache.org by ct...@apache.org on 2011/04/14 05:33:23 UTC
svn commit: r1091993 - in /continuum/trunk:
continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/
continuum-webapp/src/main/java/org/apache/continuum/web/action/
continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/
conti...
Author: ctan
Date: Thu Apr 14 03:33:22 2011
New Revision: 1091993
URL: http://svn.apache.org/viewvc?rev=1091993&view=rev
Log:
[CONTINUUM-2620] added validation to prevent XSS attacks in build agent, local repository and purge configuration
Modified:
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/LocalRepositoriesTest.java
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/PurgeTest.java
continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ScmResultAction.java
continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ViewBuildsReportAction.java
continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java
continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/LocalRepositoryAction.java
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgent-validation.xml
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction-saveRepository-validation.xml
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction.properties
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction-savePurgeConfig-validation.xml
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction.properties
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java Thu Apr 14 03:33:22 2011
@@ -52,6 +52,25 @@ public class BuildAgentsTest
}
}
+ public void testAddBuildAgentWithXSS()
+ {
+ try
+ {
+ String invalidUrl = "http://sampleagent/<script>alert('gotcha')</script>";
+ String invalidDescription = "blah blah <script>alert('gotcha')</script> blah blah";
+ enableDistributedBuilds();
+ goToAddBuildAgent();
+ addBuildAgent( invalidUrl, invalidDescription, false, true, false );
+
+ assertTextPresent( "Build agent url is invalid." );
+ assertTextPresent( "Build agent description contains invalid characters." );
+ }
+ finally
+ {
+ disableDistributedBuilds();
+ }
+ }
+
@Test( dependsOnMethods = { "testEditBuildAgent" } )
public void testAddAnExistingBuildAgent()
{
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/LocalRepositoriesTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/LocalRepositoriesTest.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/LocalRepositoriesTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/LocalRepositoriesTest.java Thu Apr 14 03:33:22 2011
@@ -46,6 +46,17 @@ public class LocalRepositoriesTest
assertTextPresent( "You must define a local repository directory." );
}
+ public void testAddLocalRepositoryWithXSS()
+ {
+ String invalidName = "Repo <script>alert('gotcha')</script> name";
+ String invalidLocation = "/Users/continuum/<script>alert('gotcha')</script>/dir";
+
+ goToAddLocalRepository();
+ addEditLocalRepository( invalidName, invalidLocation, false );
+ assertTextPresent( "Local repository name contains invalid characters." );
+ assertTextPresent( "Local repository location contains invalid characters." );
+ }
+
@Test( dependsOnMethods = { "testAddLocalRepository" } )
public void testAddDuplicatedLocalRepository()
{
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/PurgeTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/PurgeTest.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/PurgeTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/PurgeTest.java Thu Apr 14 03:33:22 2011
@@ -47,6 +47,14 @@ public class PurgeTest
assertTextPresent( "Retention Count must be greater than 0." );
}
+ public void testAddRepositoryPurgeWithXSS()
+ {
+ String invalidDescription = "blah blah <script>alert('gotcha')</script>";
+ goToAddRepositoryPurge();
+ addEditRepositoryPurge( "1", "1", invalidDescription, false );
+ assertTextPresent( "Description contains invalid characters." );
+ }
+
@Test( dependsOnMethods = { "testAddRepositoryPurge" } )
public void testEditRepositoryPurge()
{
@@ -86,6 +94,14 @@ public class PurgeTest
assertTextPresent( "Retention Count must be greater than 0." );
}
+ public void testAddDirectoryPurgeWithXSS()
+ {
+ String invalidDescription = "blah blah <script>alert('gotcha')</script>";
+ goToAddDirectoryPurge();
+ addEditDirectoryPurge( "1", "1", invalidDescription, false );
+ assertTextPresent( "Description contains invalid characters." );
+ }
+
@Test( dependsOnMethods = { "testAddDirectoryPurge" } )
public void testEditDirectoryPurge()
{
Modified: continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ScmResultAction.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ScmResultAction.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ScmResultAction.java (original)
+++ continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ScmResultAction.java Thu Apr 14 03:33:22 2011
@@ -5,7 +5,6 @@ import org.apache.maven.continuum.Contin
import org.apache.maven.continuum.web.action.ContinuumActionSupport;
import org.apache.maven.continuum.web.exception.AuthorizationRequiredException;
import org.apache.maven.continuum.web.util.StateGenerator;
-import org.codehaus.plexus.util.StringUtils;
import org.apache.struts2.ServletActionContext;
@@ -78,11 +77,8 @@ public class ScmResultAction
public String getProjectGroupName()
throws ContinuumException
{
- if ( StringUtils.isEmpty( projectGroupName ) )
- {
- projectGroupName = getContinuum().getProjectGroup( getProjectGroupId() ).getName();
- }
-
+ projectGroupName = getContinuum().getProjectGroup( getProjectGroupId() ).getName();
+
return projectGroupName;
}
Modified: continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ViewBuildsReportAction.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ViewBuildsReportAction.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ViewBuildsReportAction.java (original)
+++ continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/ViewBuildsReportAction.java Thu Apr 14 03:33:22 2011
@@ -25,7 +25,6 @@ import java.io.InputStream;
import java.io.StringReader;
import java.text.ParseException;
import java.util.ArrayList;
-import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedHashMap;
Modified: continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java (original)
+++ continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java Thu Apr 14 03:33:22 2011
@@ -21,7 +21,6 @@ package org.apache.continuum.web.action.
import org.apache.continuum.configuration.BuildAgentConfiguration;
import org.apache.continuum.configuration.BuildAgentGroupConfiguration;
-import org.apache.continuum.builder.distributed.manager.DistributedBuildManager;
import org.apache.continuum.web.util.AuditLog;
import org.apache.continuum.web.util.AuditLogConstants;
import org.apache.maven.continuum.ContinuumException;
@@ -41,7 +40,6 @@ import org.slf4j.LoggerFactory;
import java.util.ArrayList;
import java.util.Collections;
-import java.util.Iterator;
import java.util.List;
/**
@@ -88,11 +86,13 @@ public class BuildAgentAction
{
if ( buildAgent != null && !StringUtils.isBlank( buildAgent.getUrl() ) )
{
+ String buildAgentUrl = buildAgent.getUrl();
+
List<BuildAgentConfiguration> agents = getContinuum().getConfiguration().getBuildAgents();
for ( BuildAgentConfiguration agent : agents )
{
- if ( agent.getUrl().equals( buildAgent.getUrl() ) )
+ if ( agent.getUrl().equals( buildAgentUrl ) )
{
buildAgent = agent;
type = "edit";
@@ -128,22 +128,26 @@ public class BuildAgentAction
{
ConfigurationService configuration = getContinuum().getConfiguration();
- for ( BuildAgentConfiguration agent : configuration.getBuildAgents() )
+ if ( buildAgent != null )
{
- if ( agent.getUrl().equals( buildAgent.getUrl() ) )
+ String buildAgentUrl = buildAgent.getUrl();
+ for ( BuildAgentConfiguration agent : configuration.getBuildAgents() )
{
- buildAgent = agent;
-
- try
+ if ( agent.getUrl().equals( buildAgentUrl ) )
{
- installations = getContinuum().getDistributedBuildManager().getAvailableInstallations( buildAgent.getUrl() );
- }
- catch ( ContinuumException e )
- {
- logger.error( "Unable to retrieve installations of build agent '" + agent.getUrl() + "'", e );
+ buildAgent = agent;
+
+ try
+ {
+ installations = getContinuum().getDistributedBuildManager().getAvailableInstallations( buildAgentUrl );
+ }
+ catch ( ContinuumException e )
+ {
+ logger.error( "Unable to retrieve installations of build agent '" + agent.getUrl() + "'", e );
+ }
+
+ break;
}
-
- break;
}
}
@@ -161,7 +165,7 @@ public class BuildAgentAction
{
for ( BuildAgentConfiguration agent : configuration.getBuildAgents() )
{
- if ( buildAgent.getUrl().equals( agent.getUrl() ) )
+ if ( agent.getUrl().equals( buildAgent.getUrl() ) )
{
agent.setDescription( buildAgent.getDescription() );
agent.setEnabled( buildAgent.isEnabled() );
@@ -365,16 +369,18 @@ public class BuildAgentAction
if ( buildAgentGroup != null && !StringUtils.isBlank( buildAgentGroup.getName() ) )
{
+ String buildAgentGroupName = buildAgentGroup.getName();
+
List<BuildAgentGroupConfiguration> agentGroups = configuration.getBuildAgentGroups();
for ( BuildAgentGroupConfiguration group : agentGroups )
{
- if ( buildAgentGroup.getName().equals( group.getName() ) )
+ if ( group.getName().equals( buildAgentGroupName ) )
{
buildAgentGroup = group;
typeGroup = "edit";
- this.buildAgentGroup = configuration.getBuildAgentGroup( buildAgentGroup.getName() );
+ this.buildAgentGroup = configuration.getBuildAgentGroup( buildAgentGroupName );
this.buildAgents = configuration.getBuildAgents();
this.selectedBuildAgentIds = new ArrayList<String>();
Modified: continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/LocalRepositoryAction.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/LocalRepositoryAction.java?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/LocalRepositoryAction.java (original)
+++ continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/LocalRepositoryAction.java Thu Apr 14 03:33:22 2011
@@ -35,7 +35,6 @@ import org.apache.continuum.web.util.Aud
import org.apache.maven.continuum.model.project.ProjectGroup;
import org.apache.maven.continuum.security.ContinuumRoleConstants;
import org.apache.maven.continuum.web.action.ContinuumConfirmAction;
-import org.apache.struts2.ServletActionContext;
import org.codehaus.plexus.redback.rbac.Resource;
import org.codehaus.redback.integration.interceptor.SecureAction;
import org.codehaus.redback.integration.interceptor.SecureActionBundle;
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgent-validation.xml
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgent-validation.xml?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgent-validation.xml (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgent-validation.xml Thu Apr 14 03:33:22 2011
@@ -26,5 +26,15 @@
<field-validator type="requiredstring">
<message key="buildAgent.url.required"/>
</field-validator>
+ <field-validator type="regex">
+ <param name="expression"><![CDATA[[A-Za-z0-9_.@:/-]*]]></param>
+ <message key="buildAgent.url.invalid"/>
+ </field-validator>
+ </field>
+ <field name="buildAgent.description">
+ <field-validator type="regex">
+ <param name="expression"><![CDATA[[A-Za-z0-9_.\s-]*]]></param>
+ <message key="buildAgent.description.invalid"/>
+ </field-validator>
</field>
</validators>
\ No newline at end of file
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties Thu Apr 14 03:33:22 2011
@@ -18,6 +18,8 @@
#
buildAgent.url.required = Build agent url is required.
+buildAgent.url.invalid = Build agent url is invalid.
+buildAgent.description.invalid = Build agent description contains invalid characters.
buildAgent.error.exist = Build agent already exists.
buildAgent.error.delete.busy = Cannot delete build agent because it's busy at the moment
buildAgent.error.notfound = Build agent does not exist.
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction-saveRepository-validation.xml
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction-saveRepository-validation.xml?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction-saveRepository-validation.xml (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction-saveRepository-validation.xml Thu Apr 14 03:33:22 2011
@@ -26,10 +26,18 @@
<field-validator type="requiredstring">
<message key="repository.name.required"/>
</field-validator>
+ <field-validator type="regex">
+ <param name="expression"><![CDATA[[A-Za-z0-9_.\s-]*]]></param>
+ <message key="repository.name.invalid"/>
+ </field-validator>
</field>
<field name="repository.location">
<field-validator type="requiredstring">
<message key="repository.location.required"/>
</field-validator>
+ <field-validator type="regex">
+ <param name="expression"><![CDATA[[A-Za-z0-9_.:\\/\s-]*]]></param>
+ <message key="repository.location.invalid"/>
+ </field-validator>
</field>
</validators>
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction.properties
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction.properties?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction.properties (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/LocalRepositoryAction.properties Thu Apr 14 03:33:22 2011
@@ -18,4 +18,6 @@
#
repository.name.required = You must define a name.
+repository.name.invalid = Local repository name contains invalid characters.
repository.location.required = You must define a local repository directory.
+repository.location.invalid = Local repository location contains invalid characters.
\ No newline at end of file
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction-savePurgeConfig-validation.xml
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction-savePurgeConfig-validation.xml?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction-savePurgeConfig-validation.xml (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction-savePurgeConfig-validation.xml Thu Apr 14 03:33:22 2011
@@ -34,4 +34,10 @@
<message key="purgeConfig.retentionCount.min"/>
</field-validator>
</field>
+ <field name="description">
+ <field-validator type="regex">
+ <param name="expression"><![CDATA[[A-Za-z0-9_.\s-]*]]></param>
+ <message key="purgeConfig.description.invalid"/>
+ </field-validator>
+ </field>
</validators>
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction.properties
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction.properties?rev=1091993&r1=1091992&r2=1091993&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction.properties (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/PurgeConfigurationAction.properties Thu Apr 14 03:33:22 2011
@@ -18,4 +18,5 @@
#
purgeConfig.daysOlder.min = Days Older must be a positive number.
-purgeConfig.retentionCount.min = Retention Count must be greater than 0.
\ No newline at end of file
+purgeConfig.retentionCount.min = Retention Count must be greater than 0.
+purgeConfig.description.invalid = Description contains invalid characters.
\ No newline at end of file