From b5010f9f54ae2d32cf1c86e7b7129aa2d6633053 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:12:00 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/servlet/GitblitContext.java |  154 +++++++++++++++++++++++++++++++++++++++------------
 1 files changed, 117 insertions(+), 37 deletions(-)

diff --git a/src/main/java/com/gitblit/servlet/GitblitContext.java b/src/main/java/com/gitblit/servlet/GitblitContext.java
index b865750..04a7d92 100644
--- a/src/main/java/com/gitblit/servlet/GitblitContext.java
+++ b/src/main/java/com/gitblit/servlet/GitblitContext.java
@@ -31,13 +31,17 @@
 import javax.servlet.ServletContext;
 import javax.servlet.ServletContextEvent;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import com.gitblit.Constants;
-import com.gitblit.DaggerModule;
 import com.gitblit.FileSettings;
 import com.gitblit.IStoredSettings;
 import com.gitblit.Keys;
 import com.gitblit.WebXmlSettings;
-import com.gitblit.dagger.DaggerContext;
+import com.gitblit.extensions.LifeCycleListener;
+import com.gitblit.guice.CoreModule;
+import com.gitblit.guice.WebModule;
 import com.gitblit.manager.IAuthenticationManager;
 import com.gitblit.manager.IFederationManager;
 import com.gitblit.manager.IGitblit;
@@ -47,27 +51,33 @@
 import com.gitblit.manager.IProjectManager;
 import com.gitblit.manager.IRepositoryManager;
 import com.gitblit.manager.IRuntimeManager;
+import com.gitblit.manager.IServicesManager;
 import com.gitblit.manager.IUserManager;
+import com.gitblit.tickets.ITicketService;
 import com.gitblit.transport.ssh.IPublicKeyManager;
 import com.gitblit.utils.ContainerUtils;
 import com.gitblit.utils.StringUtils;
-
-import dagger.ObjectGraph;
+import com.google.inject.AbstractModule;
+import com.google.inject.Guice;
+import com.google.inject.Injector;
+import com.google.inject.servlet.GuiceServletContextListener;
 
 /**
  * This class is the main entry point for the entire webapp.  It is a singleton
  * created manually by Gitblit GO or dynamically by the WAR/Express servlet
- * container.  This class instantiates and starts all managers.  Servlets and
- * filters are instantiated defined in web.xml and instantiated by the servlet
- * container, but those servlets and filters use Dagger to manually inject their
- * dependencies.
+ * container.  This class instantiates and starts all managers.
+ *
+ * Servlets and filters are injected which allows Gitblit to be completely
+ * code-driven.
  *
  * @author James Moger
  *
  */
-public class GitblitContext extends DaggerContext {
+public class GitblitContext extends GuiceServletContextListener {
 
 	private static GitblitContext gitblit;
+
+	protected final Logger logger = LoggerFactory.getLogger(getClass());
 
 	private final List<IManager> managers = new ArrayList<IManager>();
 
@@ -79,9 +89,7 @@
 	 * Construct a Gitblit WAR/Express context.
 	 */
 	public GitblitContext() {
-		this.goSettings = null;
-		this.goBaseFolder = null;
-		gitblit = this;
+		this(null, null);
 	}
 
 	/**
@@ -112,12 +120,16 @@
 		return null;
 	}
 
-	/**
-	 * Returns Gitblit's Dagger injection modules.
-	 */
 	@Override
-	protected Object [] getModules() {
-		return new Object [] { new DaggerModule() };
+	protected Injector getInjector() {
+		return Guice.createInjector(getModules());
+	}
+
+	/**
+	 * Returns Gitblit's Guice injection modules.
+	 */
+	protected AbstractModule [] getModules() {
+		return new AbstractModule [] { new CoreModule(), new WebModule() };
 	}
 
 	/**
@@ -128,18 +140,20 @@
 	 */
 	@Override
 	public final void contextInitialized(ServletContextEvent contextEvent) {
+		super.contextInitialized(contextEvent);
+
 		ServletContext context = contextEvent.getServletContext();
-		configureContext(context);
+		startCore(context);
 	}
 
 	/**
 	 * Prepare runtime settings and start all manager instances.
 	 */
-	protected void configureContext(ServletContext context) {
-		ObjectGraph injector = getInjector(context);
+	protected void startCore(ServletContext context) {
+		Injector injector = (Injector) context.getAttribute(Injector.class.getName());
 
 		// create the runtime settings object
-		IStoredSettings runtimeSettings = injector.get(IStoredSettings.class);
+		IStoredSettings runtimeSettings = injector.getInstance(IStoredSettings.class);
 		final File baseFolder;
 
 		if (goSettings != null) {
@@ -154,7 +168,7 @@
 			// if the base folder dosen't match the default assume they don't want to use express,
 			// this allows for other containers to customise the basefolder per context.
 			String defaultBase = Constants.contextFolder$ + "/WEB-INF/data";
-			String base = lookupBaseFolderFromJndi();
+			String base = getBaseFolderPath(defaultBase);
 			if (!StringUtils.isEmpty(System.getenv("OPENSHIFT_DATA_DIR")) && defaultBase.equals(base)) {
 				// RedHat OpenShift
 				baseFolder = configureExpress(context, webxmlSettings, contextFolder, runtimeSettings);
@@ -169,12 +183,15 @@
 
 		// Manually configure IRuntimeManager
 		logManager(IRuntimeManager.class);
-		IRuntimeManager runtime = injector.get(IRuntimeManager.class);
+		IRuntimeManager runtime = injector.getInstance(IRuntimeManager.class);
 		runtime.setBaseFolder(baseFolder);
 		runtime.getStatus().isGO = goSettings != null;
 		runtime.getStatus().servletContainer = context.getServerInfo();
 		runtime.start();
 		managers.add(runtime);
+
+		// create the plugin manager instance but do not start it
+		loadManager(injector, IPluginManager.class);
 
 		// start all other managers
 		startManager(injector, INotificationManager.class);
@@ -184,7 +201,9 @@
 		startManager(injector, IRepositoryManager.class);
 		startManager(injector, IProjectManager.class);
 		startManager(injector, IFederationManager.class);
+		startManager(injector, ITicketService.class);
 		startManager(injector, IGitblit.class);
+		startManager(injector, IServicesManager.class);
 
 		// start the plugin manager last so that plugins can depend on
 		// deterministic access to all other managers in their start() methods
@@ -193,6 +212,15 @@
 		logger.info("");
 		logger.info("All managers started.");
 		logger.info("");
+
+		IPluginManager pluginManager = injector.getInstance(IPluginManager.class);
+		for (LifeCycleListener listener : pluginManager.getExtensions(LifeCycleListener.class)) {
+			try {
+				listener.onStartup();
+			} catch (Throwable t) {
+				logger.error(null, t);
+			}
+		}
 	}
 
 	private String lookupBaseFolderFromJndi() {
@@ -207,9 +235,32 @@
 		return null;
 	}
 
-	protected <X extends IManager> X startManager(ObjectGraph injector, Class<X> clazz) {
+	protected String getBaseFolderPath(String defaultBaseFolder) {
+		// try a system property or a JNDI property
+		String specifiedBaseFolder = System.getProperty("GITBLIT_HOME", lookupBaseFolderFromJndi());
+
+		if (!StringUtils.isEmpty(System.getenv("GITBLIT_HOME"))) {
+			// try an environment variable
+			specifiedBaseFolder = System.getenv("GITBLIT_HOME");
+		}
+
+		if (!StringUtils.isEmpty(specifiedBaseFolder)) {
+			// use specified base folder path
+			return specifiedBaseFolder;
+		}
+
+		// use default base folder path
+		return defaultBaseFolder;
+	}
+
+	protected <X extends IManager> X loadManager(Injector injector, Class<X> clazz) {
+		X x = injector.getInstance(clazz);
+		return x;
+	}
+
+	protected <X extends IManager> X startManager(Injector injector, Class<X> clazz) {
+		X x = loadManager(injector, clazz);
 		logManager(clazz);
-		X x = injector.get(clazz);
 		x.start();
 		managers.add(x);
 		return x;
@@ -220,13 +271,29 @@
 		logger.info("----[{}]----", clazz.getName());
 	}
 
+	@Override
+	public final void contextDestroyed(ServletContextEvent contextEvent) {
+		super.contextDestroyed(contextEvent);
+		ServletContext context = contextEvent.getServletContext();
+		destroyContext(context);
+	}
+
 	/**
 	 * Gitblit is being shutdown either because the servlet container is
 	 * shutting down or because the servlet container is re-deploying Gitblit.
 	 */
-	@Override
 	protected void destroyContext(ServletContext context) {
 		logger.info("Gitblit context destroyed by servlet container.");
+
+		IPluginManager pluginManager = getManager(IPluginManager.class);
+		for (LifeCycleListener listener : pluginManager.getExtensions(LifeCycleListener.class)) {
+			try {
+				listener.onShutdown();
+			} catch (Throwable t) {
+				logger.error(null, t);
+			}
+		}
+
 		for (IManager manager : managers) {
 			logger.debug("stopping {}", manager.getClass().getSimpleName());
 			manager.stop();
@@ -279,9 +346,9 @@
 		logger.debug("configuring Gitblit WAR");
 		logger.info("WAR contextFolder is " + ((contextFolder != null) ? contextFolder.getAbsolutePath() : "<empty>"));
 
-		String path = webxmlSettings.getString(Constants.baseFolder, Constants.contextFolder$ + "/WEB-INF/data");
+		String webXmlPath = webxmlSettings.getString(Constants.baseFolder, Constants.contextFolder$ + "/WEB-INF/data");
 
-		if (path.contains(Constants.contextFolder$) && contextFolder == null) {
+		if (webXmlPath.contains(Constants.contextFolder$) && contextFolder == null) {
 			// warn about null contextFolder (issue-199)
 			logger.error("");
 			logger.error(MessageFormat.format("\"{0}\" depends on \"{1}\" but \"{2}\" is returning NULL for \"{1}\"!",
@@ -291,18 +358,15 @@
 			logger.error("");
 		}
 
-		String baseFromJndi = lookupBaseFolderFromJndi();
-		if (!StringUtils.isEmpty(baseFromJndi)) {
-			path = baseFromJndi;
-		}
+		String baseFolderPath = getBaseFolderPath(webXmlPath);
 
-		File base = com.gitblit.utils.FileUtils.resolveParameter(Constants.contextFolder$, contextFolder, path);
-		base.mkdirs();
+		File baseFolder = com.gitblit.utils.FileUtils.resolveParameter(Constants.contextFolder$, contextFolder, baseFolderPath);
+		baseFolder.mkdirs();
 
 		// try to extract the data folder resource to the baseFolder
-		File localSettings = new File(base, "gitblit.properties");
+		File localSettings = new File(baseFolder, "gitblit.properties");
 		if (!localSettings.exists()) {
-			extractResources(context, "/WEB-INF/data/", base);
+			extractResources(context, "/WEB-INF/data/", baseFolder);
 		}
 
 		// delegate all config to baseFolder/gitblit.properties file
@@ -314,7 +378,7 @@
 		// the target file for runtimeSettings is set to "localSettings".
 		runtimeSettings.merge(fileSettings);
 
-		return base;
+		return baseFolder;
 	}
 
 	/**
@@ -354,6 +418,22 @@
 			}
 		}
 
+		// Copy the included gitignore files to the configured gitignore folder
+		String gitignorePath = webxmlSettings.getString(Keys.git.gitignoreFolder, "gitignore");
+		File localGitignores = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, base, gitignorePath);
+		if (!localGitignores.exists()) {
+			File warGitignores = new File(contextFolder, "/WEB-INF/data/gitignore");
+			if (!warGitignores.equals(localGitignores)) {
+				try {
+					com.gitblit.utils.FileUtils.copy(localGitignores, warGitignores.listFiles());
+				} catch (IOException e) {
+					logger.error(MessageFormat.format(
+							"Failed to copy included .gitignore files from {0} to {1}",
+							warGitignores, localGitignores));
+				}
+			}
+		}
+
 		// merge the WebXmlSettings into the runtime settings (for backwards-compatibilty)
 		runtimeSettings.merge(webxmlSettings);
 

--
Gitblit v1.9.1