You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@continuum.apache.org by ct...@apache.org on 2011/04/15 03:42:37 UTC
svn commit: r1092564 - in /continuum/trunk:
continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/
continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/
continuum-webapp/src/main/resources/org/apache/continuum/web/action/a...
Author: ctan
Date: Fri Apr 15 01:42:36 2011
New Revision: 1092564
URL: http://svn.apache.org/viewvc?rev=1092564&view=rev
Log:
[CONTINUUM-2620] more prevention of xss attacks
Added:
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgentGroup-validation.xml
Modified:
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildDefinitionTemplateTest.java
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildEnvironmentTest.java
continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/ConfigurationTest.java
continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java
continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java?rev=1092564&r1=1092563&r2=1092564&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildAgentsTest.java Fri Apr 15 01:42:36 2011
@@ -71,6 +71,20 @@ public class BuildAgentsTest
}
}
+ public void testViewBuildAgentInstallationXSS()
+ {
+ getSelenium().open( baseUrl + "/security/viewBuildAgent.action?buildAgent.url=test%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E" );
+ assertFalse( getSelenium().isAlertPresent() );
+ assertTextPresent( "<script>alert('xss')</script>" );
+ }
+
+ public void testEditBuildAgentXSS()
+ {
+ getSelenium().open( baseUrl + "/security/editBuildAgent.action?buildAgent.url=test<script>alert('xss')</script>" );
+ assertFalse( getSelenium().isAlertPresent() );
+ assertTextPresent( "test<script>alert('xss')</script>" );
+ }
+
@Test( dependsOnMethods = { "testEditBuildAgent" } )
public void testAddAnExistingBuildAgent()
{
@@ -190,6 +204,28 @@ public class BuildAgentsTest
//TESTS FOR BUILD AGENT GROUPS
+ public void testAddBuildAgentGroupXSS()
+ {
+ try
+ {
+ enableDistributedBuilds();
+ goToAddBuildAgentGroup();
+ addEditBuildAgentGroup( "%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E", new String[]{}, new String[] {}, false );
+ assertTextPresent( "Build agent group name contains invalid characters" );
+ }
+ finally
+ {
+ disableDistributedBuilds();
+ }
+ }
+
+ public void testEditBuildAgentGroupXSS()
+ {
+ getSelenium().open( baseUrl + "/security/editBuildAgentGroup.action?buildAgentGroup.name=test%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E" );
+ assertFalse( getSelenium().isAlertPresent() );
+ assertTextPresent( "test<script>alert('xss')</script>" );
+ }
+
@Test( dependsOnMethods = { "testAddBuildAgent", "testDeleteBuildAgent" } )
public void testAddBuildAgentGroup()
throws Exception
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildDefinitionTemplateTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildDefinitionTemplateTest.java?rev=1092564&r1=1092563&r2=1092564&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildDefinitionTemplateTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildDefinitionTemplateTest.java Fri Apr 15 01:42:36 2011
@@ -47,6 +47,14 @@ public class BuildDefinitionTemplateTest
assertTextPresent( "Name is required" );
}
+ public void testAddTemplateWithXSS()
+ throws Exception
+ {
+ goToAddTemplate();
+ addEditTemplate( "Name <script>alert('gotcha')</script>", new String[] {}, new String[] {}, false );
+ assertTextPresent( "Name contains invalid characters" );
+ }
+
@Test( dependsOnMethods = { "testAddTemplate" } )
public void testEditTemplate()
throws Exception
@@ -91,6 +99,18 @@ public class BuildDefinitionTemplateTest
assertTextPresent( "Description is required" );
}
+ public void testAddBuildDefinitionTemplateWithXSS()
+ throws Exception
+ {
+ String invalidString = "<script>alert('gotcha')</script>";
+ goToAddBuildDefinitionTemplate();
+ addEditBuildDefinitionTemplate( invalidString, invalidString, invalidString, invalidString, true, true, true, false );
+ assertTextPresent( "BuildFile contains invalid characters" );
+ assertTextPresent( "Description contains invalid characters" );
+ assertTextPresent( "Goals contain invalid characters" );
+ assertTextPresent( "Arguments contain invalid characters" );
+ }
+
@Test( dependsOnMethods = { "testAddBuildDefinitionTemplate" } )
public void testEditBuildDefinitionTemplate()
throws Exception
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildEnvironmentTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildEnvironmentTest.java?rev=1092564&r1=1092563&r2=1092564&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildEnvironmentTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/BuildEnvironmentTest.java Fri Apr 15 01:42:36 2011
@@ -44,6 +44,13 @@ public class BuildEnvironmentTest
assertTextPresent( "You must define a name" );
}
+ public void testAddBuildEnvironmentWithXSS()
+ {
+ goToAddBuildEnvironment();
+ addBuildEnvironment( "<script>alert('gotcha')</script>", new String[] {}, false );
+ assertTextPresent( "Build environment name contains invalid characters." );
+ }
+
@Test( dependsOnMethods = { "testAddBuildEnvironment" } )
public void testEditInvalidBuildEnvironment()
{
Modified: continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/ConfigurationTest.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/ConfigurationTest.java?rev=1092564&r1=1092563&r2=1092564&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/ConfigurationTest.java (original)
+++ continuum/trunk/continuum-webapp-test/src/test/testng/org/apache/continuum/web/test/ConfigurationTest.java Fri Apr 15 01:42:36 2011
@@ -84,4 +84,17 @@ public class ConfigurationTest
setMaxBuildQueue( 0 );
assertTextPresent( "Number of Allowed Builds in Parallel must be greater than zero" );
}
+
+ public void testSetConfigurationWithXSS()
+ {
+ String invalidString = "<script>alert('gotcha')</script>";
+ goToConfigurationPage();
+ submitConfiguration( invalidString, invalidString, invalidString, invalidString,
+ invalidString, invalidString, true, false );
+ assertTextPresent( "Working directory contains invalid characters." );
+ assertTextPresent( "Build output directory contains invalid characters." );
+ assertTextPresent( "Release output directory contains invalid characters." );
+ assertTextPresent( "Deployment repository directory contains invalid characters." );
+ assertTextPresent( "You must define a valid URL." );
+ }
}
Modified: continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java?rev=1092564&r1=1092563&r2=1092564&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java (original)
+++ continuum/trunk/continuum-webapp/src/main/java/org/apache/continuum/web/action/admin/BuildAgentAction.java Fri Apr 15 01:42:36 2011
@@ -19,6 +19,7 @@ package org.apache.continuum.web.action.
* under the License.
*/
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.continuum.configuration.BuildAgentConfiguration;
import org.apache.continuum.configuration.BuildAgentGroupConfiguration;
import org.apache.continuum.web.util.AuditLog;
@@ -86,13 +87,14 @@ public class BuildAgentAction
{
if ( buildAgent != null && !StringUtils.isBlank( buildAgent.getUrl() ) )
{
- String buildAgentUrl = buildAgent.getUrl();
+ String escapedBuildAgentUrl = StringEscapeUtils.escapeXml( buildAgent.getUrl() );
+ buildAgent.setUrl( escapedBuildAgentUrl );
List<BuildAgentConfiguration> agents = getContinuum().getConfiguration().getBuildAgents();
for ( BuildAgentConfiguration agent : agents )
{
- if ( agent.getUrl().equals( buildAgentUrl ) )
+ if ( agent.getUrl().equals( escapedBuildAgentUrl ) )
{
buildAgent = agent;
type = "edit";
@@ -130,16 +132,18 @@ public class BuildAgentAction
if ( buildAgent != null )
{
- String buildAgentUrl = buildAgent.getUrl();
+ String escapedBuildAgentUrl = StringEscapeUtils.escapeXml( buildAgent.getUrl() );
+ buildAgent.setUrl( escapedBuildAgentUrl );
+
for ( BuildAgentConfiguration agent : configuration.getBuildAgents() )
{
- if ( agent.getUrl().equals( buildAgentUrl ) )
+ if ( agent.getUrl().equals( escapedBuildAgentUrl ) )
{
buildAgent = agent;
try
{
- installations = getContinuum().getDistributedBuildManager().getAvailableInstallations( buildAgentUrl );
+ installations = getContinuum().getDistributedBuildManager().getAvailableInstallations( escapedBuildAgentUrl );
}
catch ( ContinuumException e )
{
@@ -205,6 +209,8 @@ public class BuildAgentAction
public String delete()
throws Exception
{
+ buildAgent.setUrl( StringEscapeUtils.escapeXml( buildAgent.getUrl() ) );
+
if ( !confirmed )
{
return CONFIRM;
@@ -259,6 +265,8 @@ public class BuildAgentAction
public String deleteGroup()
throws Exception
{
+ buildAgentGroup.setName( StringEscapeUtils.escapeXml( buildAgentGroup.getName() ) );
+
if ( !confirmed )
{
return CONFIRM;
@@ -369,18 +377,19 @@ public class BuildAgentAction
if ( buildAgentGroup != null && !StringUtils.isBlank( buildAgentGroup.getName() ) )
{
- String buildAgentGroupName = buildAgentGroup.getName();
+ String escapedBuildAgentGroupName = StringEscapeUtils.escapeXml( buildAgentGroup.getName() );
+ buildAgentGroup.setName( escapedBuildAgentGroupName );
List<BuildAgentGroupConfiguration> agentGroups = configuration.getBuildAgentGroups();
for ( BuildAgentGroupConfiguration group : agentGroups )
{
- if ( group.getName().equals( buildAgentGroupName ) )
+ if ( group.getName().equals( escapedBuildAgentGroupName ) )
{
buildAgentGroup = group;
typeGroup = "edit";
- this.buildAgentGroup = configuration.getBuildAgentGroup( buildAgentGroupName );
+ this.buildAgentGroup = configuration.getBuildAgentGroup( escapedBuildAgentGroupName );
this.buildAgents = configuration.getBuildAgents();
this.selectedBuildAgentIds = new ArrayList<String>();
Added: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgentGroup-validation.xml
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgentGroup-validation.xml?rev=1092564&view=auto
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgentGroup-validation.xml (added)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction-saveBuildAgentGroup-validation.xml Fri Apr 15 01:42:36 2011
@@ -0,0 +1,34 @@
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+<!DOCTYPE validators PUBLIC
+ "-//OpenSymphony Group//XWork Validator 1.0.2//EN"
+ "http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd">
+
+<validators>
+ <field name="buildAgentGroup.name">
+ <field-validator type="requiredstring">
+ <message key="buildAgentGroup.name.required"/>
+ </field-validator>
+ <field-validator type="regex">
+ <param name="expression"><![CDATA[[A-Za-z0-9_.\s\-]*]]></param>
+ <message key="buildAgentGroup.name.invalid"/>
+ </field-validator>
+ </field>
+</validators>
\ No newline at end of file
Modified: continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties
URL: http://svn.apache.org/viewvc/continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties?rev=1092564&r1=1092563&r2=1092564&view=diff
==============================================================================
--- continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties (original)
+++ continuum/trunk/continuum-webapp/src/main/resources/org/apache/continuum/web/action/admin/BuildAgentAction.properties Fri Apr 15 01:42:36 2011
@@ -23,3 +23,5 @@ buildAgent.description.invalid = Build a
buildAgent.error.exist = Build agent already exists.
buildAgent.error.delete.busy = Cannot delete build agent because it's busy at the moment
buildAgent.error.notfound = Build agent does not exist.
+buildAgentGroup.name.required = Build agent group name is required.
+buildAgentGroup.name.invalid = Build agent group name contains invalid characters.
\ No newline at end of file