jenkinsci · MarkEWaite · Mar 1, 2020 · Jan 30, 2020 · Jan 31, 2020 · Feb 1, 2020
@@ -261,6 +261,17 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>commons-validator</groupId>
+      <artifactId>commons-validator</artifactId>
+      <version>1.6</version>
+      <exclusions>
+        <exclusion>
+          <groupId>commons-digester</groupId>
+          <artifactId>commons-digester</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
   </dependencies>
 
   <dependencyManagement>

@@ -1,15 +1,19 @@
 package hudson.plugins.git.browser;
 
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.plugins.git.GitChangeSet;
 import hudson.plugins.git.GitChangeSet.Path;
+import hudson.plugins.git.Messages;
 import hudson.scm.EditType;
 import hudson.scm.RepositoryBrowser;
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
-import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
+import org.apache.commons.validator.routines.UrlValidator;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
@@ -18,6 +22,8 @@
 import javax.annotation.Nonnull;
 import javax.servlet.ServletException;
 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 
 /**
@@ -94,18 +100,21 @@ public AssemblaWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObjec
         }
 
         @RequirePOST
-        public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url)
-                throws IOException, ServletException {
-            if (url == null) // nothing entered yet
+        public FormValidation doCheckRepoUrl(@AncestorInPath Item project, @QueryParameter(fixEmpty = true) final String repoUrl)
+                throws IOException, ServletException, URISyntaxException {
+
+            String cleanUrl = Util.fixEmptyAndTrim(repoUrl);
+            if (initialChecksAndReturnOk(project, cleanUrl))
             {
                 return FormValidation.ok();
             }
-            // Connect to URL and check content only if we have admin permission
-            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER))
-                return FormValidation.ok();
+            // Connect to URL and check content only if we have permission
+            if (!checkURIFormatAndHostName(cleanUrl, "assembla")) {
+                return FormValidation.error(Messages.invalidUrl());
+            }
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
-                    String v = url;
+                    String v = cleanUrl;
                     if (!v.endsWith("/")) {
                         v += '/';
                     }
@@ -114,13 +123,21 @@ protected FormValidation check() throws IOException, ServletException {
                         if (findText(open(new URL(v)), "Assembla")) {
                             return FormValidation.ok();
                         } else {
-                            return FormValidation.error("This is a valid URL but it doesn't look like Assembla");
+                            return FormValidation.error("This is a valid URL but it does not look like Assembla");
                         }
                     } catch (IOException e) {
                         return handleIOException(v, e);
                     }
                 }
             }.check();
         }
+
+        private boolean checkURIFormatAndHostName(String url, String hostNameFragment) throws URISyntaxException {
+            URI uri = new URI(url);
+            String[] schemes = {"http", "https"};
+            UrlValidator urlValidator = new UrlValidator(schemes);
+            hostNameFragment = hostNameFragment + ".";
+            return urlValidator.isValid(uri.toString()) && uri.getHost().contains(hostNameFragment);
+        }
     }
 }
@@ -1,15 +1,18 @@
 package hudson.plugins.git.browser;
 
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.plugins.git.GitChangeSet;
 import hudson.plugins.git.GitChangeSet.Path;
+import hudson.plugins.git.Messages;
 import hudson.scm.EditType;
 import hudson.scm.RepositoryBrowser;
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
-import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
@@ -19,6 +22,7 @@
 import javax.servlet.ServletException;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLEncoder;
 
@@ -66,6 +70,7 @@ public String getProjectName() {
      private String encodeString(final String s) throws UnsupportedEncodingException {
         return URLEncoder.encode(s, "UTF-8").replaceAll("\\+", "%20");
     }
+
     @Extension
     public static class ViewGitWebDescriptor extends Descriptor<RepositoryBrowser<?>> {
         @Nonnull
@@ -80,18 +85,21 @@ public GitBlitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSONObj
         }
 
         @RequirePOST
-        public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url)
-                throws IOException, ServletException {
-            if (url == null) // nothing entered yet
+        public FormValidation doCheckRepoUrl(@AncestorInPath Item project, @QueryParameter(fixEmpty = true) final String repoUrl)
+                throws IOException, ServletException, URISyntaxException {
+
+            String cleanUrl = Util.fixEmptyAndTrim(repoUrl);
+            if (initialChecksAndReturnOk(project, cleanUrl))
             {
                 return FormValidation.ok();
             }
-            // Connect to URL and check content only if we have admin permission
-            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER))
-                return FormValidation.ok();
+            if (!checkURIFormat(cleanUrl))
+            {
+                return FormValidation.error(Messages.invalidUrl());
+            }
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
-                    String v = url;
+                    String v = cleanUrl;
                     if (!v.endsWith("/")) {
                         v += '/';
                     }

@@ -1,12 +1,14 @@
 package hudson.plugins.git.browser;
 
 import hudson.EnvVars;
+import hudson.model.Item;
 import hudson.model.Job;
 import hudson.model.TaskListener;
 import hudson.plugins.git.GitChangeSet;
 import hudson.plugins.git.GitChangeSet.Path;
 import hudson.scm.RepositoryBrowser;
 
+import org.apache.commons.validator.routines.UrlValidator;
 import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest;
 
@@ -117,5 +119,25 @@ public static URL encodeURL(URL url) throws IOException {
         }
     }
 
+    protected static boolean initialChecksAndReturnOk(Item project, String cleanUrl){
+        if (cleanUrl == null) {
+            return true;
+        }
+        if (project == null || !project.hasPermission(Item.CONFIGURE)) {
+            return true;
+        }
+        if (cleanUrl.contains("$")) {
+            // set by variable, can't validate
+            return true;
+        }
+        return false;
+    }
+
+    protected static boolean checkURIFormat(String url) throws URISyntaxException {
+        String[] schemes = {"http", "https"};
+        UrlValidator urlValidator = new UrlValidator(schemes);
+        return urlValidator.isValid(url);
+    }
+
     private static final long serialVersionUID = 1L;
 }
@@ -1,23 +1,26 @@
 package hudson.plugins.git.browser;
 
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.plugins.git.GitChangeSet;
 import hudson.plugins.git.GitChangeSet.Path;
+import hudson.plugins.git.Messages;
 import hudson.scm.RepositoryBrowser;
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
 
-import jenkins.model.Jenkins;
-
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.net.URL;
 
 import javax.annotation.Nonnull;
 import javax.servlet.ServletException;
 
 import net.sf.json.JSONObject;
 
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
@@ -70,15 +73,19 @@ public Gitiles newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject) t
         }
 
         @RequirePOST
-        public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException {
-            if (url == null) // nothing entered yet
-                return FormValidation.ok();
-            // Connect to URL and check content only if we have admin permission
-            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER))
+        public FormValidation doCheckRepoUrl(@AncestorInPath Item project, @QueryParameter(fixEmpty = true) final String repoUrl)
+                throws IOException, ServletException, URISyntaxException {
+
+            String cleanUrl = Util.fixEmptyAndTrim(repoUrl);
+            if(initialChecksAndReturnOk(project, cleanUrl)){
                 return FormValidation.ok();
+            }
+            if (!checkURIFormat(cleanUrl)) {
+                return FormValidation.error(Messages.invalidUrl());
+            }
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
-                    String v = url;
+                    String v = cleanUrl;
                     if (!v.endsWith("/"))
                         v += '/';
 

@@ -1,16 +1,19 @@
 package hudson.plugins.git.browser;
 
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.Descriptor;
+import hudson.model.Item;
 import hudson.plugins.git.GitChangeSet;
 import hudson.plugins.git.GitChangeSet.Path;
+import hudson.plugins.git.Messages;
 import hudson.scm.EditType;
 import hudson.scm.RepositoryBrowser;
 import hudson.scm.browsers.QueryBuilder;
 import hudson.util.FormValidation;
 import hudson.util.FormValidation.URLCheck;
-import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.kohsuke.stapler.QueryParameter;
@@ -20,6 +23,7 @@
 import javax.servlet.ServletException;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLEncoder;
 
@@ -89,15 +93,19 @@ public ViewGitWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject
         }
 
         @RequirePOST
-        public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException {
-            if (url == null) // nothing entered yet
-                return FormValidation.ok();
+        public FormValidation doCheckRepoUrl(@AncestorInPath Item project, @QueryParameter(fixEmpty = true) final String repoUrl)
+                throws IOException, ServletException, URISyntaxException {
+
+            String cleanUrl = Util.fixEmptyAndTrim(repoUrl);
             // Connect to URL and check content only if we have admin permission
-            if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER))
+            if (initialChecksAndReturnOk(project, cleanUrl))
                 return FormValidation.ok();
+            if (!checkURIFormat(cleanUrl)) {
+                return FormValidation.error(Messages.invalidUrl());
+            }
             return new URLCheck() {
                 protected FormValidation check() throws IOException, ServletException {
-                    String v = url;
+                    String v = cleanUrl;
                     if (!v.endsWith("/"))
                         v += '/';
 

@@ -6,6 +6,7 @@ BuildChooser_BuildingLastRevision=No new revisions were found; the most-recently
 UserRemoteConfig.FailedToConnect=Failed to connect to repository : {0}
 UserRemoteConfig.CheckUrl.UrlIsNull=Please enter Git repository.
 UserRemoteConfig.CheckRefSpec.InvalidRefSpec=Specification is invalid.
+invalidUrl=Invalid URL
 
 GitPublisher.Check.TagName=Tag Name
 GitPublisher.Check.BranchName=Branch Name