From fc3a39d464b1303f0b7d01d0160f81cbbb80a98b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Sun, 07 Sep 2014 11:42:40 -0400
Subject: [PATCH] Create infrastructure for XSS sanitization
---
src/main/java/com/gitblit/ReindexTickets.java | 5
src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java | 8 +
src/main/java/com/gitblit/manager/IRuntimeManager.java | 8 +
.classpath | 1
src/main/java/com/gitblit/wicket/GitBlitWebApp.java | 12 ++
src/test/java/com/gitblit/tests/FileTicketServiceTest.java | 6
src/test/java/com/gitblit/tests/LdapAuthenticationTest.java | 8 +
src/main/java/com/gitblit/utils/JSoupXssFilter.java | 87 +++++++++++++++++
src/main/java/com/gitblit/manager/RuntimeManager.java | 21 +++
src/main/java/com/gitblit/wicket/GitblitWicketApp.java | 3
src/test/java/com/gitblit/tests/BranchTicketServiceTest.java | 6
src/test/java/com/gitblit/tests/LuceneExecutorTest.java | 5
src/main/java/com/gitblit/MigrateTickets.java | 5
src/main/java/com/gitblit/DaggerModule.java | 11 +
src/main/java/com/gitblit/FederationClient.java | 5
src/main/java/com/gitblit/manager/GitblitManager.java | 6 +
src/test/java/com/gitblit/tests/AuthenticationManagerTest.java | 5
src/test/java/com/gitblit/tests/RedisTicketServiceTest.java | 6
src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java | 8 +
src/main/java/com/gitblit/utils/XssFilter.java | 64 ++++++++++++
build.moxie | 1
src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java | 7 +
gitblit.iml | 11 ++
23 files changed, 277 insertions(+), 22 deletions(-)
diff --git a/.classpath b/.classpath
index f6e655e..a6b4010 100644
--- a/.classpath
+++ b/.classpath
@@ -77,6 +77,7 @@
<classpathentry kind="lib" path="ext/commons-pool2-2.0.jar" sourcepath="ext/src/commons-pool2-2.0.jar" />
<classpathentry kind="lib" path="ext/pf4j-0.8.0.jar" sourcepath="ext/src/pf4j-0.8.0.jar" />
<classpathentry kind="lib" path="ext/tika-core-1.5.jar" sourcepath="ext/src/tika-core-1.5.jar" />
+ <classpathentry kind="lib" path="ext/jsoup-1.7.3.jar" sourcepath="ext/src/jsoup-1.7.3.jar" />
<classpathentry kind="lib" path="ext/junit-4.11.jar" sourcepath="ext/src/junit-4.11.jar" />
<classpathentry kind="lib" path="ext/hamcrest-core-1.3.jar" sourcepath="ext/src/hamcrest-core-1.3.jar" />
<classpathentry kind="lib" path="ext/selenium-java-2.28.0.jar" sourcepath="ext/src/selenium-java-2.28.0.jar" />
diff --git a/build.moxie b/build.moxie
index 0801644..c558c52 100644
--- a/build.moxie
+++ b/build.moxie
@@ -176,6 +176,7 @@
- compile 'redis.clients:jedis:2.3.1' :war
- compile 'ro.fortsoft.pf4j:pf4j:0.8.0' :war
- compile 'org.apache.tika:tika-core:1.5' :war
+- compile 'org.jsoup:jsoup:1.7.3' :war
- test 'junit'
# Dependencies for Selenium web page testing
- test 'org.seleniumhq.selenium:selenium-java:${selenium.version}' @jar
diff --git a/gitblit.iml b/gitblit.iml
index 03e2896..3e6608f 100644
--- a/gitblit.iml
+++ b/gitblit.iml
@@ -801,6 +801,17 @@
</SOURCES>
</library>
</orderEntry>
+ <orderEntry type="module-library">
+ <library name="jsoup-1.7.3.jar">
+ <CLASSES>
+ <root url="jar://$MODULE_DIR$/ext/jsoup-1.7.3.jar!/" />
+ </CLASSES>
+ <JAVADOC />
+ <SOURCES>
+ <root url="jar://$MODULE_DIR$/ext/src/jsoup-1.7.3.jar!/" />
+ </SOURCES>
+ </library>
+ </orderEntry>
<orderEntry type="module-library" scope="TEST">
<library name="junit-4.11.jar">
<CLASSES>
diff --git a/src/main/java/com/gitblit/DaggerModule.java b/src/main/java/com/gitblit/DaggerModule.java
index 6ad3fe6..dd7e1b2 100644
--- a/src/main/java/com/gitblit/DaggerModule.java
+++ b/src/main/java/com/gitblit/DaggerModule.java
@@ -38,7 +38,9 @@
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.transport.ssh.MemoryKeyManager;
import com.gitblit.transport.ssh.NullKeyManager;
+import com.gitblit.utils.JSoupXssFilter;
import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.XssFilter;
import com.gitblit.wicket.GitBlitWebApp;
import dagger.Module;
@@ -54,6 +56,7 @@
library = true,
injects = {
IStoredSettings.class,
+ XssFilter.class,
// core managers
IRuntimeManager.class,
@@ -79,8 +82,12 @@
return new FileSettings();
}
- @Provides @Singleton IRuntimeManager provideRuntimeManager(IStoredSettings settings) {
- return new RuntimeManager(settings);
+ @Provides @Singleton XssFilter provideXssFilter() {
+ return new JSoupXssFilter();
+ }
+
+ @Provides @Singleton IRuntimeManager provideRuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
+ return new RuntimeManager(settings, xssFilter);
}
@Provides @Singleton IPluginManager providePluginManager(IRuntimeManager runtimeManager) {
diff --git a/src/main/java/com/gitblit/FederationClient.java b/src/main/java/com/gitblit/FederationClient.java
index 29cdefe..079355e 100644
--- a/src/main/java/com/gitblit/FederationClient.java
+++ b/src/main/java/com/gitblit/FederationClient.java
@@ -36,6 +36,8 @@
import com.gitblit.service.FederationPullService;
import com.gitblit.utils.FederationUtils;
import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Command-line client to pull federated Gitblit repositories.
@@ -92,7 +94,8 @@
}
// configure the Gitblit singleton for minimal, non-server operation
- RuntimeManager runtime = new RuntimeManager(settings, baseFolder).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, baseFolder).start();
NoopNotificationManager notifications = new NoopNotificationManager().start();
UserManager users = new UserManager(runtime, null).start();
RepositoryManager repositories = new RepositoryManager(runtime, null, users).start();
diff --git a/src/main/java/com/gitblit/MigrateTickets.java b/src/main/java/com/gitblit/MigrateTickets.java
index ad1c63e..94284ee 100644
--- a/src/main/java/com/gitblit/MigrateTickets.java
+++ b/src/main/java/com/gitblit/MigrateTickets.java
@@ -39,6 +39,8 @@
import com.gitblit.tickets.ITicketService;
import com.gitblit.tickets.RedisTicketService;
import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* A command-line tool to move all tickets from one ticket service to another.
@@ -134,7 +136,8 @@
settings.overrideSetting(Keys.web.activityCacheDays, 0);
settings.overrideSetting(ITicketService.SETTING_UPDATE_DIFFSTATS, false);
- IRuntimeManager runtimeManager = new RuntimeManager(settings, baseFolder).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter, baseFolder).start();
IRepositoryManager repositoryManager = new RepositoryManager(runtimeManager, null, null).start();
String inputServiceName = settings.getString(Keys.tickets.service, BranchTicketService.class.getSimpleName());
diff --git a/src/main/java/com/gitblit/ReindexTickets.java b/src/main/java/com/gitblit/ReindexTickets.java
index 5a61448..858436a 100644
--- a/src/main/java/com/gitblit/ReindexTickets.java
+++ b/src/main/java/com/gitblit/ReindexTickets.java
@@ -33,6 +33,8 @@
import com.gitblit.tickets.ITicketService;
import com.gitblit.tickets.RedisTicketService;
import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* A command-line tool to reindex all tickets in all repositories when the
@@ -126,7 +128,8 @@
settings.overrideSetting(Keys.git.enableMirroring, false);
settings.overrideSetting(Keys.web.activityCacheDays, 0);
- IRuntimeManager runtimeManager = new RuntimeManager(settings, baseFolder).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter, baseFolder).start();
IRepositoryManager repositoryManager = new RepositoryManager(runtimeManager, null, null).start();
String serviceName = settings.getString(Keys.tickets.service, BranchTicketService.class.getSimpleName());
diff --git a/src/main/java/com/gitblit/manager/GitblitManager.java b/src/main/java/com/gitblit/manager/GitblitManager.java
index b9ae122..2ed52d6 100644
--- a/src/main/java/com/gitblit/manager/GitblitManager.java
+++ b/src/main/java/com/gitblit/manager/GitblitManager.java
@@ -79,6 +79,7 @@
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.transport.ssh.SshKey;
import com.gitblit.utils.ArrayUtils;
+import com.gitblit.utils.XssFilter;
import com.gitblit.utils.HttpUtils;
import com.gitblit.utils.JsonUtils;
import com.gitblit.utils.ObjectCache;
@@ -663,6 +664,11 @@
return runtimeManager.getStatus();
}
+ @Override
+ public XssFilter getXssFilter() {
+ return runtimeManager.getXssFilter();
+ }
+
/*
* NOTIFICATION MANAGER
*/
diff --git a/src/main/java/com/gitblit/manager/IRuntimeManager.java b/src/main/java/com/gitblit/manager/IRuntimeManager.java
index b2d7a2b..132534c 100644
--- a/src/main/java/com/gitblit/manager/IRuntimeManager.java
+++ b/src/main/java/com/gitblit/manager/IRuntimeManager.java
@@ -24,6 +24,7 @@
import com.gitblit.IStoredSettings;
import com.gitblit.models.ServerSettings;
import com.gitblit.models.ServerStatus;
+import com.gitblit.utils.XssFilter;
public interface IRuntimeManager extends IManager {
@@ -151,4 +152,11 @@
* @since 1.4.0
*/
boolean updateSettings(Map<String, String> updatedSettings);
+
+ /**
+ * Returns the HTML sanitizer used to clean user content.
+ *
+ * @return the HTML sanitizer
+ */
+ XssFilter getXssFilter();
}
\ No newline at end of file
diff --git a/src/main/java/com/gitblit/manager/RuntimeManager.java b/src/main/java/com/gitblit/manager/RuntimeManager.java
index 9cdc64e..219bf80 100644
--- a/src/main/java/com/gitblit/manager/RuntimeManager.java
+++ b/src/main/java/com/gitblit/manager/RuntimeManager.java
@@ -32,12 +32,15 @@
import com.gitblit.models.ServerStatus;
import com.gitblit.models.SettingModel;
import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.XssFilter;
public class RuntimeManager implements IRuntimeManager {
private final Logger logger = LoggerFactory.getLogger(getClass());
private final IStoredSettings settings;
+
+ private final XssFilter xssFilter;
private final ServerStatus serverStatus;
@@ -47,14 +50,15 @@
private TimeZone timezone;
- public RuntimeManager(IStoredSettings settings) {
- this(settings, null);
+ public RuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
+ this(settings, xssFilter, null);
}
- public RuntimeManager(IStoredSettings settings, File baseFolder) {
+ public RuntimeManager(IStoredSettings settings, XssFilter xssFilter, File baseFolder) {
this.settings = settings;
this.settingsModel = new ServerSettings();
this.serverStatus = new ServerStatus();
+ this.xssFilter = xssFilter;
this.baseFolder = baseFolder == null ? new File("") : baseFolder;
}
@@ -262,4 +266,15 @@
serverStatus.heapFree = Runtime.getRuntime().freeMemory();
return serverStatus;
}
+
+ /**
+ * Returns the XSS filter.
+ *
+ * @return the XSS filter
+ */
+ @Override
+ public XssFilter getXssFilter() {
+ return xssFilter;
+ }
+
}
diff --git a/src/main/java/com/gitblit/utils/JSoupXssFilter.java b/src/main/java/com/gitblit/utils/JSoupXssFilter.java
new file mode 100644
index 0000000..b07bcb9
--- /dev/null
+++ b/src/main/java/com/gitblit/utils/JSoupXssFilter.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.utils;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.safety.Cleaner;
+import org.jsoup.safety.Whitelist;
+
+/**
+ * Implementation of an XSS filter based on JSoup.
+ *
+ * @author James Moger
+ *
+ */
+public class JSoupXssFilter implements XssFilter {
+
+ private final Cleaner none;
+
+ private final Cleaner relaxed;
+
+ public JSoupXssFilter() {
+ none = new Cleaner(Whitelist.none());
+ relaxed = new Cleaner(getRelaxedWhiteList());
+ }
+
+ @Override
+ public String none(String input) {
+ return clean(input, none);
+ }
+
+ @Override
+ public String relaxed(String input) {
+ return clean(input, relaxed);
+ }
+
+ protected String clean(String input, Cleaner cleaner) {
+ Document unsafe = Jsoup.parse(input);
+ Document safe = cleaner.clean(unsafe);
+ return safe.body().html();
+ }
+
+ /**
+ * Builds & returns a loose HTML whitelist similar to Github.
+ *
+ * https://github.com/github/markup/tree/master#html-sanitization
+ * @return a loose HTML whitelist
+ */
+ protected Whitelist getRelaxedWhiteList() {
+ return new Whitelist()
+ .addTags(
+ "a", "b", "blockquote", "br", "caption", "cite", "code", "col",
+ "colgroup", "dd", "del", "div", "dl", "dt", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr",
+ "i", "img", "ins", "kbd", "li", "ol", "p", "pre", "q", "samp", "small", "strike", "strong",
+ "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u",
+ "ul", "var")
+
+ .addAttributes("a", "href", "title")
+ .addAttributes("blockquote", "cite")
+ .addAttributes("col", "span", "width")
+ .addAttributes("colgroup", "span", "width")
+ .addAttributes("img", "align", "alt", "height", "src", "title", "width")
+ .addAttributes("ol", "start", "type")
+ .addAttributes("q", "cite")
+ .addAttributes("table", "summary", "width")
+ .addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
+ .addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width")
+ .addAttributes("ul", "type")
+
+ .addEnforcedAttribute("a", "rel", "nofollow")
+ ;
+ }
+
+}
diff --git a/src/main/java/com/gitblit/utils/XssFilter.java b/src/main/java/com/gitblit/utils/XssFilter.java
new file mode 100644
index 0000000..20b5105
--- /dev/null
+++ b/src/main/java/com/gitblit/utils/XssFilter.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.utils;
+
+/**
+ * Defines the contract for an XSS filter implementation.
+ *
+ * @author James Moger
+ *
+ */
+public interface XssFilter {
+
+ /**
+ * Returns a filtered version of the input value that contains no html
+ * elements.
+ *
+ * @param input
+ * @return a plain text value
+ */
+ String none(String input);
+
+ /**
+ * Returns a filtered version of the input that contains structural html
+ * elements.
+ *
+ * @param input
+ * @return a filtered html value
+ */
+ String relaxed(String input);
+
+ /**
+ * A NOOP XSS filter.
+ *
+ * @author James Moger
+ *
+ */
+ public class AllowXssFilter implements XssFilter {
+
+ @Override
+ public String none(String input) {
+ return input;
+ }
+
+ @Override
+ public String relaxed(String input) {
+ return input;
+ }
+
+ }
+
+}
diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebApp.java b/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
index f63ff3d..6cf5f58 100644
--- a/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
+++ b/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
@@ -46,6 +46,7 @@
import com.gitblit.manager.IUserManager;
import com.gitblit.tickets.ITicketService;
import com.gitblit.transport.ssh.IPublicKeyManager;
+import com.gitblit.utils.XssFilter;
import com.gitblit.wicket.pages.ActivityPage;
import com.gitblit.wicket.pages.BlamePage;
import com.gitblit.wicket.pages.BlobDiffPage;
@@ -100,6 +101,8 @@
private final IStoredSettings settings;
+ private final XssFilter xssFilter;
+
private final IRuntimeManager runtimeManager;
private final IPluginManager pluginManager;
@@ -134,6 +137,7 @@
super();
this.settings = runtimeManager.getSettings();
+ this.xssFilter = runtimeManager.getXssFilter();
this.runtimeManager = runtimeManager;
this.pluginManager = pluginManager;
this.notificationManager = notificationManager;
@@ -308,6 +312,14 @@
}
/* (non-Javadoc)
+ * @see com.gitblit.wicket.Webapp#xssFilter()
+ */
+ @Override
+ public XssFilter xssFilter() {
+ return xssFilter;
+ }
+
+ /* (non-Javadoc)
* @see com.gitblit.wicket.Webapp#isDebugMode()
*/
@Override
diff --git a/src/main/java/com/gitblit/wicket/GitblitWicketApp.java b/src/main/java/com/gitblit/wicket/GitblitWicketApp.java
index a56e699..8d3d598 100644
--- a/src/main/java/com/gitblit/wicket/GitblitWicketApp.java
+++ b/src/main/java/com/gitblit/wicket/GitblitWicketApp.java
@@ -17,6 +17,7 @@
import com.gitblit.manager.IUserManager;
import com.gitblit.tickets.ITicketService;
import com.gitblit.transport.ssh.IPublicKeyManager;
+import com.gitblit.utils.XssFilter;
public interface GitblitWicketApp {
@@ -30,6 +31,8 @@
public abstract IStoredSettings settings();
+ public abstract XssFilter xssFilter();
+
/**
* Is Gitblit running in debug mode?
*
diff --git a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java
index f1d2711..0cdee6c 100644
--- a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java
+++ b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java
@@ -26,6 +26,8 @@
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Class for testing local authentication.
@@ -42,7 +44,8 @@
}
IAuthenticationManager newAuthenticationManager() {
- RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(getSettings(), xssFilter, GitBlitSuite.BASEFOLDER).start();
users = new UserManager(runtime, null).start();
AuthenticationManager auth = new AuthenticationManager(runtime, users).start();
return auth;
diff --git a/src/test/java/com/gitblit/tests/BranchTicketServiceTest.java b/src/test/java/com/gitblit/tests/BranchTicketServiceTest.java
index cc404ab..0a5de19 100644
--- a/src/test/java/com/gitblit/tests/BranchTicketServiceTest.java
+++ b/src/test/java/com/gitblit/tests/BranchTicketServiceTest.java
@@ -29,6 +29,8 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.tickets.BranchTicketService;
import com.gitblit.tickets.ITicketService;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Tests the branch ticket service.
@@ -50,8 +52,8 @@
protected ITicketService getService(boolean deleteAll) throws Exception {
IStoredSettings settings = getSettings(deleteAll);
-
- IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
IPluginManager pluginManager = new PluginManager(runtimeManager).start();
INotificationManager notificationManager = new NotificationManager(settings).start();
IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();
diff --git a/src/test/java/com/gitblit/tests/FileTicketServiceTest.java b/src/test/java/com/gitblit/tests/FileTicketServiceTest.java
index 6ede042..1fb2eed 100644
--- a/src/test/java/com/gitblit/tests/FileTicketServiceTest.java
+++ b/src/test/java/com/gitblit/tests/FileTicketServiceTest.java
@@ -29,6 +29,8 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.tickets.FileTicketService;
import com.gitblit.tickets.ITicketService;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Tests the file ticket service.
@@ -49,8 +51,8 @@
protected ITicketService getService(boolean deleteAll) throws Exception {
IStoredSettings settings = getSettings(deleteAll);
-
- IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
IPluginManager pluginManager = new PluginManager(runtimeManager).start();
INotificationManager notificationManager = new NotificationManager(settings).start();
IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();
diff --git a/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java b/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java
index f4e24d4..e2bb764 100644
--- a/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java
@@ -32,6 +32,8 @@
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Test the Htpasswd user service.
@@ -74,7 +76,8 @@
}
private HtpasswdAuthProvider newHtpasswdAuthentication(IStoredSettings settings) {
- RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
UserManager users = new UserManager(runtime, null).start();
HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
htpasswd.setup(runtime, users);
@@ -82,7 +85,8 @@
}
private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
- RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
UserManager users = new UserManager(runtime, null).start();
HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
htpasswd.setup(runtime, users);
diff --git a/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java b/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java
index 646f7e9..7c84ecc 100644
--- a/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java
@@ -39,6 +39,8 @@
import com.gitblit.models.TeamModel;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
@@ -96,7 +98,8 @@
}
private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) {
- RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
userManager = new UserManager(runtime, null).start();
LdapAuthProvider ldap = new LdapAuthProvider();
ldap.setup(runtime, userManager);
@@ -104,7 +107,8 @@
}
private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
- RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
AuthenticationManager auth = new AuthenticationManager(runtime, userManager);
auth.addAuthenticationProvider(newLdapAuthentication(settings));
return auth;
diff --git a/src/test/java/com/gitblit/tests/LuceneExecutorTest.java b/src/test/java/com/gitblit/tests/LuceneExecutorTest.java
index 5c319e6..a8358b9 100644
--- a/src/test/java/com/gitblit/tests/LuceneExecutorTest.java
+++ b/src/test/java/com/gitblit/tests/LuceneExecutorTest.java
@@ -34,6 +34,8 @@
import com.gitblit.tests.mock.MemorySettings;
import com.gitblit.utils.FileUtils;
import com.gitblit.utils.JGitUtils;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Tests Lucene indexing and querying.
@@ -48,7 +50,8 @@
private LuceneService newLuceneExecutor() {
MemorySettings settings = new MemorySettings();
settings.put(Keys.git.repositoriesFolder, GitBlitSuite.REPOSITORIES);
- RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
UserManager users = new UserManager(runtime, null).start();
RepositoryManager repos = new RepositoryManager(runtime, null, users);
return new LuceneService(settings, repos);
diff --git a/src/test/java/com/gitblit/tests/RedisTicketServiceTest.java b/src/test/java/com/gitblit/tests/RedisTicketServiceTest.java
index b782b44..48011ad 100644
--- a/src/test/java/com/gitblit/tests/RedisTicketServiceTest.java
+++ b/src/test/java/com/gitblit/tests/RedisTicketServiceTest.java
@@ -30,6 +30,8 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.tickets.ITicketService;
import com.gitblit.tickets.RedisTicketService;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
/**
* Tests the Redis ticket service.
@@ -57,8 +59,8 @@
protected ITicketService getService(boolean deleteAll) throws Exception {
IStoredSettings settings = getSettings(deleteAll);
-
- IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
IPluginManager pluginManager = new PluginManager(runtimeManager).start();
INotificationManager notificationManager = new NotificationManager(settings).start();
IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();
diff --git a/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java b/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
index 3b6b7bb..ad773b7 100644
--- a/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
@@ -13,6 +13,8 @@
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
public class RedmineAuthenticationTest extends GitblitUnitTest {
@@ -25,7 +27,8 @@
}
RedmineAuthProvider newRedmineAuthentication(IStoredSettings settings) {
- RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
UserManager users = new UserManager(runtime, null).start();
RedmineAuthProvider redmine = new RedmineAuthProvider();
redmine.setup(runtime, users);
@@ -37,7 +40,8 @@
}
AuthenticationManager newAuthenticationManager() {
- RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
+ XssFilter xssFilter = new AllowXssFilter();
+ RuntimeManager runtime = new RuntimeManager(getSettings(), xssFilter, GitBlitSuite.BASEFOLDER).start();
UserManager users = new UserManager(runtime, null).start();
RedmineAuthProvider redmine = new RedmineAuthProvider();
redmine.setup(runtime, users);
diff --git a/src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java b/src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java
index 54be539..7b56362 100644
--- a/src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java
+++ b/src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java
@@ -28,6 +28,8 @@
import com.gitblit.models.ServerSettings;
import com.gitblit.models.ServerStatus;
import com.gitblit.models.SettingModel;
+import com.gitblit.utils.XssFilter;
+import com.gitblit.utils.XssFilter.AllowXssFilter;
public class MockRuntimeManager implements IRuntimeManager {
@@ -148,6 +150,11 @@
}
@Override
+ public XssFilter getXssFilter() {
+ return new AllowXssFilter();
+ }
+
+ @Override
public boolean updateSettings(Map<String, String> updatedSettings) {
return settings.saveSettings(updatedSettings);
}
--
Gitblit v1.9.1