Merge branch 'stable-3.10'
* stable-3.10:
Set change status to WIP if cherry-pick results in conflicts
Add display names for email messageClass
Adapt ReindexModuleLoader to API changes
Don't allow CORS for /plugins/[static/Documentation]/* by default
Add cherry-pick information to change message
Fix regexp for matching all full urls to match part with &
Fix regexp for matching all full urls to match part with &
Set version to 3.9.7-SNAPSHOT
Set version to 3.9.6
Set version to 3.8.9-SNAPSHOT
Set version to 3.8.8
Release-Notes: skip
Change-Id: I066cb9b5d90eb7002191ded19c2fdbd88fa793de
diff --git a/java/com/google/gerrit/acceptance/AbstractDaemonTest.java b/java/com/google/gerrit/acceptance/AbstractDaemonTest.java
index 7dc070c..19b9607d 100644
--- a/java/com/google/gerrit/acceptance/AbstractDaemonTest.java
+++ b/java/com/google/gerrit/acceptance/AbstractDaemonTest.java
@@ -134,6 +134,7 @@
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.notedb.ChangeNotesCommit;
import com.google.gerrit.server.notedb.ChangeNotesCommit.ChangeNotesRevWalk;
+import com.google.gerrit.server.plugins.PluginContentScanner;
import com.google.gerrit.server.plugins.PluginGuiceEnvironment;
import com.google.gerrit.server.plugins.TestServerPlugin;
import com.google.gerrit.server.project.ProjectCache;
@@ -1753,6 +1754,16 @@
@Nullable Class<? extends Module> httpModuleClass,
@Nullable Class<? extends Module> sshModuleClass)
throws Exception {
+ return installPlugin(pluginName, sysModuleClass, httpModuleClass, sshModuleClass, null);
+ }
+
+ protected AutoCloseable installPlugin(
+ String pluginName,
+ @Nullable Class<? extends Module> sysModuleClass,
+ @Nullable Class<? extends Module> httpModuleClass,
+ @Nullable Class<? extends Module> sshModuleClass,
+ PluginContentScanner scanner)
+ throws Exception {
checkStatic(sysModuleClass);
checkStatic(httpModuleClass);
checkStatic(sshModuleClass);
@@ -1761,6 +1772,7 @@
pluginName,
"http://example.com/" + pluginName,
pluginUserFactory.create(pluginName),
+ scanner,
getClass().getClassLoader(),
sysModuleClass != null ? sysModuleClass.getName() : null,
httpModuleClass != null ? httpModuleClass.getName() : null,
diff --git a/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java b/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java
index 9b8f4c6..e17a534 100644
--- a/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java
+++ b/java/com/google/gerrit/httpd/plugins/HttpPluginServlet.java
@@ -353,7 +353,7 @@
}
private boolean isOriginAllowed(String origin) {
- return allowOrigin == null || allowOrigin.matcher(origin).matches();
+ return allowOrigin != null && allowOrigin.matcher(origin).matches();
}
private boolean hasUpToDateCachedResource(Resource cachedResource, long lastUpdateTime) {
diff --git a/java/com/google/gerrit/server/plugins/TestServerPlugin.java b/java/com/google/gerrit/server/plugins/TestServerPlugin.java
index cd5d5e3..a7ca88f 100644
--- a/java/com/google/gerrit/server/plugins/TestServerPlugin.java
+++ b/java/com/google/gerrit/server/plugins/TestServerPlugin.java
@@ -34,13 +34,27 @@
String sshName,
Path dataDir)
throws InvalidPluginException {
+ this(name, pluginCanonicalWebUrl, user, null, classLoader, sysName, httpName, sshName, dataDir);
+ }
+
+ public TestServerPlugin(
+ String name,
+ String pluginCanonicalWebUrl,
+ PluginUser user,
+ PluginContentScanner scanner,
+ ClassLoader classLoader,
+ String sysName,
+ String httpName,
+ String sshName,
+ Path dataDir)
+ throws InvalidPluginException {
super(
name,
pluginCanonicalWebUrl,
user,
null,
null,
- null,
+ scanner,
dataDir,
classLoader,
null,
@@ -83,9 +97,4 @@
public void stop(PluginGuiceEnvironment env) {
super.stop(env);
}
-
- @Override
- public PluginContentScanner getContentScanner() {
- return null;
- }
}
diff --git a/javatests/com/google/gerrit/acceptance/api/plugin/CorsForPluginsIT.java b/javatests/com/google/gerrit/acceptance/api/plugin/CorsForPluginsIT.java
new file mode 100644
index 0000000..5e9e81a
--- /dev/null
+++ b/javatests/com/google/gerrit/acceptance/api/plugin/CorsForPluginsIT.java
@@ -0,0 +1,101 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.acceptance.api.plugin;
+
+import static com.google.common.net.HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN;
+import static com.google.common.net.HttpHeaders.ORIGIN;
+import static com.google.common.truth.Truth.assertThat;
+
+import com.google.gerrit.acceptance.AbstractDaemonTest;
+import com.google.gerrit.acceptance.RestResponse;
+import com.google.gerrit.acceptance.config.GerritConfig;
+import com.google.gerrit.server.UrlEncoded;
+import com.google.gerrit.server.plugins.PluginContentScanner;
+import com.google.inject.Singleton;
+import com.google.inject.servlet.ServletModule;
+import java.io.IOException;
+import java.io.PrintWriter;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.http.client.fluent.Request;
+import org.junit.Test;
+
+public class CorsForPluginsIT extends AbstractDaemonTest {
+
+ static class FooPluginHttpModule extends ServletModule {
+ @Override
+ public void configureServlets() {
+ serve("/bar").with(BarServlet.class);
+ }
+ }
+
+ @Singleton
+ static class BarServlet extends HttpServlet {
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ protected void service(HttpServletRequest req, HttpServletResponse resp)
+ throws ServletException, IOException {
+ resp.setContentType("text/plain");
+ try (PrintWriter out = resp.getWriter()) {
+ out.println("Hi!");
+ }
+ }
+ }
+
+ @Test
+ public void noCorsConfig_CorsNotAllowed() throws Exception {
+ try (AutoCloseable ignored =
+ installPlugin("foo", null, FooPluginHttpModule.class, null, PluginContentScanner.EMPTY)) {
+
+ RestResponse rsp = execute("/plugins/foo/Documentation/foo.html", "evil");
+ assertThat(rsp.getHeader(ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
+
+ rsp = execute("/plugins/foo/bar", "evil");
+ assertThat(rsp.getHeader(ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
+ }
+ }
+
+ @Test
+ @GerritConfig(name = "site.allowOriginRegex", value = "friend")
+ public void configConfigured_onlyMatchingOriginAllowed() throws Exception {
+ try (AutoCloseable ignored =
+ installPlugin("foo", null, FooPluginHttpModule.class, null, PluginContentScanner.EMPTY)) {
+
+ RestResponse rsp;
+
+ rsp = execute("/plugins/foo/Documentation/foo.html", "evil");
+ assertThat(rsp.getHeader(ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
+ rsp = execute("/plugins/foo/bar", "evil");
+ assertThat(rsp.getHeader(ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
+
+ rsp = execute("/plugins/foo/static/resource", "friend");
+ assertThat(rsp.getHeader(ACCESS_CONTROL_ALLOW_ORIGIN)).isNotNull();
+
+ // TODO: this should also work
+ // rsp = execute("/plugins/foo/bar", "friend");
+ // assertThat(rsp.getHeader(ACCESS_CONTROL_ALLOW_ORIGIN)).isNotNull();
+ }
+ }
+
+ private RestResponse execute(String path, String origin) throws Exception {
+ UrlEncoded url = new UrlEncoded(canonicalWebUrl.get() + path);
+ Request req = Request.Get(url.toString());
+ req.setHeader(ORIGIN, origin);
+ return adminRestSession.execute(req);
+ }
+}
