githubFork/gitblit.git - Solinfo Gitblit

parent: 90eb5a08 | patch | commit | ignore whitespace

Create infrastructure for XSS sanitization

James Moger

2014-09-06 fc3a39d464b1303f0b7d01d0160f81cbbb80a98b

Create infrastructure for XSS sanitization

2 files added

21 files modified

	.classpath	1 ●●●●● patch \| view \| raw \| blame \| history
	build.moxie	1 ●●●●● patch \| view \| raw \| blame \| history
	gitblit.iml	11 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/DaggerModule.java	11 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/FederationClient.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/MigrateTickets.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/ReindexTickets.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/manager/GitblitManager.java	6 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/manager/IRuntimeManager.java	8 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/manager/RuntimeManager.java	21 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/utils/JSoupXssFilter.java	87 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/utils/XssFilter.java	64 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/GitBlitWebApp.java	12 ●●●●● patch \| view \| raw \| blame \| history
	src/main/java/com/gitblit/wicket/GitblitWicketApp.java	3 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/AuthenticationManagerTest.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/BranchTicketServiceTest.java	6 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/FileTicketServiceTest.java	6 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java	8 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/LdapAuthenticationTest.java	8 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/LuceneExecutorTest.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/RedisTicketServiceTest.java	6 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java	8 ●●●●● patch \| view \| raw \| blame \| history
	src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java	7 ●●●●● patch \| view \| raw \| blame \| history

 .classpath

@@ -77,6 +77,7 @@
    <classpathentry kind="lib" path="ext/commons-pool2-2.0.jar" sourcepath="ext/src/commons-pool2-2.0.jar" />
    <classpathentry kind="lib" path="ext/pf4j-0.8.0.jar" sourcepath="ext/src/pf4j-0.8.0.jar" />
    <classpathentry kind="lib" path="ext/tika-core-1.5.jar" sourcepath="ext/src/tika-core-1.5.jar" />
    <classpathentry kind="lib" path="ext/jsoup-1.7.3.jar" sourcepath="ext/src/jsoup-1.7.3.jar" />
    <classpathentry kind="lib" path="ext/junit-4.11.jar" sourcepath="ext/src/junit-4.11.jar" />
    <classpathentry kind="lib" path="ext/hamcrest-core-1.3.jar" sourcepath="ext/src/hamcrest-core-1.3.jar" />
    <classpathentry kind="lib" path="ext/selenium-java-2.28.0.jar" sourcepath="ext/src/selenium-java-2.28.0.jar" />

 build.moxie

@@ -176,6 +176,7 @@
- compile 'redis.clients:jedis:2.3.1' :war
- compile 'ro.fortsoft.pf4j:pf4j:0.8.0' :war
- compile 'org.apache.tika:tika-core:1.5' :war
- compile 'org.jsoup:jsoup:1.7.3' :war
- test 'junit'
# Dependencies for Selenium web page testing
- test 'org.seleniumhq.selenium:selenium-java:${selenium.version}' @jar

 gitblit.iml

@@ -801,6 +801,17 @@
        </SOURCES>
      </library>
    </orderEntry>
    <orderEntry type="module-library">
      <library name="jsoup-1.7.3.jar">
        <CLASSES>
          <root url="jar://$MODULE_DIR$/ext/jsoup-1.7.3.jar!/" />
        </CLASSES>
        <JAVADOC />
        <SOURCES>
          <root url="jar://$MODULE_DIR$/ext/src/jsoup-1.7.3.jar!/" />
        </SOURCES>
      </library>
    </orderEntry>
    <orderEntry type="module-library" scope="TEST">
      <library name="junit-4.11.jar">
        <CLASSES>

 src/main/java/com/gitblit/DaggerModule.java

@@ -38,7 +38,9 @@
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.transport.ssh.MemoryKeyManager;
import com.gitblit.transport.ssh.NullKeyManager;
import com.gitblit.utils.JSoupXssFilter;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.XssFilter;
import com.gitblit.wicket.GitBlitWebApp;

import dagger.Module;
@@ -54,6 +56,7 @@
    library = true,
    injects = {
            IStoredSettings.class,
            XssFilter.class,

            // core managers
            IRuntimeManager.class,
@@ -79,8 +82,12 @@
        return new FileSettings();
    }

    @Provides @Singleton IRuntimeManager provideRuntimeManager(IStoredSettings settings) {
        return new RuntimeManager(settings);
    @Provides @Singleton XssFilter provideXssFilter() {
        return new JSoupXssFilter();
    }

    @Provides @Singleton IRuntimeManager provideRuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
        return new RuntimeManager(settings, xssFilter);
    }

    @Provides @Singleton IPluginManager providePluginManager(IRuntimeManager runtimeManager) {

 src/main/java/com/gitblit/FederationClient.java

@@ -36,6 +36,8 @@
import com.gitblit.service.FederationPullService;

import com.gitblit.utils.FederationUtils;

import com.gitblit.utils.StringUtils;

import com.gitblit.utils.XssFilter;

import com.gitblit.utils.XssFilter.AllowXssFilter;



/**

 * Command-line client to pull federated Gitblit repositories.

@@ -92,7 +94,8 @@
        }



        // configure the Gitblit singleton for minimal, non-server operation

        RuntimeManager runtime = new RuntimeManager(settings, baseFolder).start();

        XssFilter xssFilter = new AllowXssFilter();

        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, baseFolder).start();

        NoopNotificationManager notifications = new NoopNotificationManager().start();

        UserManager users = new UserManager(runtime, null).start();

        RepositoryManager repositories = new RepositoryManager(runtime, null, users).start();


 src/main/java/com/gitblit/MigrateTickets.java

@@ -39,6 +39,8 @@
import com.gitblit.tickets.ITicketService;
import com.gitblit.tickets.RedisTicketService;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * A command-line tool to move all tickets from one ticket service to another.
@@ -134,7 +136,8 @@
        settings.overrideSetting(Keys.web.activityCacheDays, 0);
        settings.overrideSetting(ITicketService.SETTING_UPDATE_DIFFSTATS, false);

        IRuntimeManager runtimeManager = new RuntimeManager(settings, baseFolder).start();
        XssFilter xssFilter = new AllowXssFilter();
        IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter, baseFolder).start();
        IRepositoryManager repositoryManager = new RepositoryManager(runtimeManager, null, null).start();

        String inputServiceName = settings.getString(Keys.tickets.service, BranchTicketService.class.getSimpleName());

 src/main/java/com/gitblit/ReindexTickets.java

@@ -33,6 +33,8 @@
import com.gitblit.tickets.ITicketService;
import com.gitblit.tickets.RedisTicketService;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * A command-line tool to reindex all tickets in all repositories when the
@@ -126,7 +128,8 @@
        settings.overrideSetting(Keys.git.enableMirroring, false);
        settings.overrideSetting(Keys.web.activityCacheDays, 0);

        IRuntimeManager runtimeManager = new RuntimeManager(settings, baseFolder).start();
        XssFilter xssFilter = new AllowXssFilter();
        IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter, baseFolder).start();
        IRepositoryManager repositoryManager = new RepositoryManager(runtimeManager, null, null).start();

        String serviceName = settings.getString(Keys.tickets.service, BranchTicketService.class.getSimpleName());

 src/main/java/com/gitblit/manager/GitblitManager.java

@@ -79,6 +79,7 @@
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.transport.ssh.SshKey;
import com.gitblit.utils.ArrayUtils;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.HttpUtils;
import com.gitblit.utils.JsonUtils;
import com.gitblit.utils.ObjectCache;
@@ -663,6 +664,11 @@
        return runtimeManager.getStatus();
    }

    @Override
    public XssFilter getXssFilter() {
        return runtimeManager.getXssFilter();
    }

    /*
     * NOTIFICATION MANAGER
     */

 src/main/java/com/gitblit/manager/IRuntimeManager.java

@@ -24,6 +24,7 @@
import com.gitblit.IStoredSettings;
import com.gitblit.models.ServerSettings;
import com.gitblit.models.ServerStatus;
import com.gitblit.utils.XssFilter;

public interface IRuntimeManager extends IManager {

@@ -151,4 +152,11 @@
      * @since 1.4.0
     */
    boolean updateSettings(Map<String, String> updatedSettings);

    /**
     * Returns the HTML sanitizer used to clean user content.
     *
     * @return the HTML sanitizer
     */
    XssFilter getXssFilter();
}

 src/main/java/com/gitblit/manager/RuntimeManager.java

@@ -32,12 +32,15 @@
import com.gitblit.models.ServerStatus;
import com.gitblit.models.SettingModel;
import com.gitblit.utils.StringUtils;
import com.gitblit.utils.XssFilter;

public class RuntimeManager implements IRuntimeManager {

    private final Logger logger = LoggerFactory.getLogger(getClass());

    private final IStoredSettings settings;

    private final XssFilter xssFilter;

    private final ServerStatus serverStatus;

@@ -47,14 +50,15 @@

    private TimeZone timezone;

    public RuntimeManager(IStoredSettings settings) {
        this(settings, null);
    public RuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
        this(settings, xssFilter, null);
    }

    public RuntimeManager(IStoredSettings settings, File baseFolder) {
    public RuntimeManager(IStoredSettings settings, XssFilter xssFilter, File baseFolder) {
        this.settings = settings;
        this.settingsModel = new ServerSettings();
        this.serverStatus = new ServerStatus();
        this.xssFilter = xssFilter;
        this.baseFolder = baseFolder == null ? new File("") : baseFolder;
    }

@@ -262,4 +266,15 @@
        serverStatus.heapFree = Runtime.getRuntime().freeMemory();
        return serverStatus;
    }

    /**
     * Returns the XSS filter.
     *
     * @return the XSS filter
     */
    @Override
    public XssFilter getXssFilter() {
        return xssFilter;
    }

}

 src/main/java/com/gitblit/utils/JSoupXssFilter.java

New file
@@ -0,0 +1,87 @@
/*
 * Copyright 2014 gitblit.com.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.gitblit.utils;

import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Cleaner;
import org.jsoup.safety.Whitelist;

/**
 * Implementation of an XSS filter based on JSoup.
 *
 * @author James Moger
 *
 */
public class JSoupXssFilter implements XssFilter {

     private final Cleaner none;

     private final Cleaner relaxed;

     public JSoupXssFilter() {
         none = new Cleaner(Whitelist.none());
         relaxed = new Cleaner(getRelaxedWhiteList());
    }

    @Override
    public String none(String input) {
        return clean(input, none);
    }

    @Override
    public String relaxed(String input) {
        return clean(input, relaxed);
    }

    protected String clean(String input, Cleaner cleaner) {
        Document unsafe = Jsoup.parse(input);
        Document safe = cleaner.clean(unsafe);
        return safe.body().html();
    }

    /**
     * Builds & returns a loose HTML whitelist similar to Github.
     *
     * https://github.com/github/markup/tree/master#html-sanitization
     * @return a loose HTML whitelist
     */
    protected Whitelist getRelaxedWhiteList() {
        return new Whitelist()
        .addTags(
                "a", "b", "blockquote", "br", "caption", "cite", "code", "col",
                "colgroup", "dd", "del", "div", "dl", "dt", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr",
                "i", "img", "ins", "kbd", "li", "ol", "p", "pre", "q", "samp", "small", "strike", "strong",
                "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u",
                "ul", "var")

        .addAttributes("a", "href", "title")
        .addAttributes("blockquote", "cite")
        .addAttributes("col", "span", "width")
        .addAttributes("colgroup", "span", "width")
        .addAttributes("img", "align", "alt", "height", "src", "title", "width")
        .addAttributes("ol", "start", "type")
        .addAttributes("q", "cite")
        .addAttributes("table", "summary", "width")
        .addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
        .addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width")
        .addAttributes("ul", "type")

        .addEnforcedAttribute("a", "rel", "nofollow")
        ;
    }

}

 src/main/java/com/gitblit/utils/XssFilter.java

New file
@@ -0,0 +1,64 @@
/*
 * Copyright 2014 gitblit.com.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.gitblit.utils;

/**
 * Defines the contract for an XSS filter implementation.
 *
 * @author James Moger
 *
 */
public interface XssFilter {

    /**
     * Returns a filtered version of the input value that contains no html
     * elements.
     *
     * @param input
     * @return a plain text value
     */
    String none(String input);

    /**
     * Returns a filtered version of the input that contains structural html
     * elements.
     *
     * @param input
     * @return a filtered html value
     */
    String relaxed(String input);

    /**
     * A NOOP XSS filter.
     *
     * @author James Moger
     *
     */
    public class AllowXssFilter implements XssFilter {

        @Override
        public String none(String input) {
            return input;
        }

        @Override
        public String relaxed(String input) {
            return input;
        }

    }

}

 src/main/java/com/gitblit/wicket/GitBlitWebApp.java

@@ -46,6 +46,7 @@
import com.gitblit.manager.IUserManager;
import com.gitblit.tickets.ITicketService;
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.utils.XssFilter;
import com.gitblit.wicket.pages.ActivityPage;
import com.gitblit.wicket.pages.BlamePage;
import com.gitblit.wicket.pages.BlobDiffPage;
@@ -100,6 +101,8 @@

    private final IStoredSettings settings;

    private final XssFilter xssFilter;

    private final IRuntimeManager runtimeManager;

    private final IPluginManager pluginManager;
@@ -134,6 +137,7 @@

        super();
        this.settings = runtimeManager.getSettings();
        this.xssFilter = runtimeManager.getXssFilter();
        this.runtimeManager = runtimeManager;
        this.pluginManager = pluginManager;
        this.notificationManager = notificationManager;
@@ -308,6 +312,14 @@
    }

    /* (non-Javadoc)
     * @see com.gitblit.wicket.Webapp#xssFilter()
     */
    @Override
    public XssFilter xssFilter() {
        return xssFilter;
    }

    /* (non-Javadoc)
     * @see com.gitblit.wicket.Webapp#isDebugMode()
     */
    @Override

 src/main/java/com/gitblit/wicket/GitblitWicketApp.java

@@ -17,6 +17,7 @@
import com.gitblit.manager.IUserManager;
import com.gitblit.tickets.ITicketService;
import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.utils.XssFilter;

public interface GitblitWicketApp {

@@ -30,6 +31,8 @@

    public abstract IStoredSettings settings();

    public abstract XssFilter xssFilter();

    /**
     * Is Gitblit running in debug mode?
     *

 src/test/java/com/gitblit/tests/AuthenticationManagerTest.java

@@ -26,6 +26,8 @@
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * Class for testing local authentication.
@@ -42,7 +44,8 @@
    }

    IAuthenticationManager newAuthenticationManager() {
        RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(getSettings(), xssFilter, GitBlitSuite.BASEFOLDER).start();
        users = new UserManager(runtime, null).start();
        AuthenticationManager auth = new AuthenticationManager(runtime, users).start();
        return auth;

 src/test/java/com/gitblit/tests/BranchTicketServiceTest.java

@@ -29,6 +29,8 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.tickets.BranchTicketService;
import com.gitblit.tickets.ITicketService;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * Tests the branch ticket service.
@@ -50,8 +52,8 @@
    protected ITicketService getService(boolean deleteAll) throws Exception {

        IStoredSettings settings = getSettings(deleteAll);

        IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
        XssFilter xssFilter = new AllowXssFilter();
        IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
        IPluginManager pluginManager = new PluginManager(runtimeManager).start();
        INotificationManager notificationManager = new NotificationManager(settings).start();
        IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();

 src/test/java/com/gitblit/tests/FileTicketServiceTest.java

@@ -29,6 +29,8 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.tickets.FileTicketService;
import com.gitblit.tickets.ITicketService;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * Tests the file ticket service.
@@ -49,8 +51,8 @@
    protected ITicketService getService(boolean deleteAll) throws Exception {

        IStoredSettings settings = getSettings(deleteAll);

        IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
        XssFilter xssFilter = new AllowXssFilter();
        IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
        IPluginManager pluginManager = new PluginManager(runtimeManager).start();
        INotificationManager notificationManager = new NotificationManager(settings).start();
        IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();

 src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java

@@ -32,6 +32,8 @@
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * Test the Htpasswd user service.
@@ -74,7 +76,8 @@
    }

    private HtpasswdAuthProvider newHtpasswdAuthentication(IStoredSettings settings) {
        RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
        UserManager users = new UserManager(runtime, null).start();
        HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
        htpasswd.setup(runtime, users);
@@ -82,7 +85,8 @@
    }

    private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
        RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
        UserManager users = new UserManager(runtime, null).start();
        HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
        htpasswd.setup(runtime, users);

 src/test/java/com/gitblit/tests/LdapAuthenticationTest.java

@@ -39,6 +39,8 @@
import com.gitblit.models.TeamModel;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
@@ -96,7 +98,8 @@
    }

    private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) {
        RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
        userManager = new UserManager(runtime, null).start();
        LdapAuthProvider ldap = new LdapAuthProvider();
        ldap.setup(runtime, userManager);
@@ -104,7 +107,8 @@
    }

    private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
        RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
        AuthenticationManager auth = new AuthenticationManager(runtime, userManager);
        auth.addAuthenticationProvider(newLdapAuthentication(settings));
        return auth;

 src/test/java/com/gitblit/tests/LuceneExecutorTest.java

@@ -34,6 +34,8 @@
import com.gitblit.tests.mock.MemorySettings;

import com.gitblit.utils.FileUtils;

import com.gitblit.utils.JGitUtils;

import com.gitblit.utils.XssFilter;

import com.gitblit.utils.XssFilter.AllowXssFilter;



/**

 * Tests Lucene indexing and querying.

@@ -48,7 +50,8 @@
    private LuceneService newLuceneExecutor() {

        MemorySettings settings = new MemorySettings();

        settings.put(Keys.git.repositoriesFolder, GitBlitSuite.REPOSITORIES);

        RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();

        XssFilter xssFilter = new AllowXssFilter();

        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();

        UserManager users = new UserManager(runtime, null).start();

        RepositoryManager repos = new RepositoryManager(runtime, null, users);

        return new LuceneService(settings, repos);


 src/test/java/com/gitblit/tests/RedisTicketServiceTest.java

@@ -30,6 +30,8 @@
import com.gitblit.models.RepositoryModel;
import com.gitblit.tickets.ITicketService;
import com.gitblit.tickets.RedisTicketService;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

/**
 * Tests the Redis ticket service.
@@ -57,8 +59,8 @@
    protected ITicketService getService(boolean deleteAll) throws Exception {

        IStoredSettings settings = getSettings(deleteAll);

        IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
        XssFilter xssFilter = new AllowXssFilter();
        IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
        IPluginManager pluginManager = new PluginManager(runtimeManager).start();
        INotificationManager notificationManager = new NotificationManager(settings).start();
        IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();

 src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java

@@ -13,6 +13,8 @@
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
import com.gitblit.tests.mock.MemorySettings;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

public class RedmineAuthenticationTest extends GitblitUnitTest {

@@ -25,7 +27,8 @@
    }

    RedmineAuthProvider newRedmineAuthentication(IStoredSettings settings) {
        RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
        UserManager users = new UserManager(runtime, null).start();
        RedmineAuthProvider redmine = new RedmineAuthProvider();
        redmine.setup(runtime, users);
@@ -37,7 +40,8 @@
    }

    AuthenticationManager newAuthenticationManager() {
        RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
        XssFilter xssFilter = new AllowXssFilter();
        RuntimeManager runtime = new RuntimeManager(getSettings(), xssFilter, GitBlitSuite.BASEFOLDER).start();
        UserManager users = new UserManager(runtime, null).start();
        RedmineAuthProvider redmine = new RedmineAuthProvider();
        redmine.setup(runtime, users);

 src/test/java/com/gitblit/tests/mock/MockRuntimeManager.java

@@ -28,6 +28,8 @@
import com.gitblit.models.ServerSettings;
import com.gitblit.models.ServerStatus;
import com.gitblit.models.SettingModel;
import com.gitblit.utils.XssFilter;
import com.gitblit.utils.XssFilter.AllowXssFilter;

public class MockRuntimeManager implements IRuntimeManager {

@@ -148,6 +150,11 @@
    }

    @Override
    public XssFilter getXssFilter() {
        return new AllowXssFilter();
    }

    @Override
    public boolean updateSettings(Map<String, String> updatedSettings) {
        return settings.saveSettings(updatedSettings);
    }

			@@ -77,6 +77,7 @@
			<classpathentry kind="lib" path="ext/commons-pool2-2.0.jar" sourcepath="ext/src/commons-pool2-2.0.jar" />
			<classpathentry kind="lib" path="ext/pf4j-0.8.0.jar" sourcepath="ext/src/pf4j-0.8.0.jar" />
			<classpathentry kind="lib" path="ext/tika-core-1.5.jar" sourcepath="ext/src/tika-core-1.5.jar" />
			<classpathentry kind="lib" path="ext/jsoup-1.7.3.jar" sourcepath="ext/src/jsoup-1.7.3.jar" />
			<classpathentry kind="lib" path="ext/junit-4.11.jar" sourcepath="ext/src/junit-4.11.jar" />
			<classpathentry kind="lib" path="ext/hamcrest-core-1.3.jar" sourcepath="ext/src/hamcrest-core-1.3.jar" />
			<classpathentry kind="lib" path="ext/selenium-java-2.28.0.jar" sourcepath="ext/src/selenium-java-2.28.0.jar" />

			@@ -176,6 +176,7 @@
			- compile 'redis.clients:jedis:2.3.1' :war
			- compile 'ro.fortsoft.pf4j:pf4j:0.8.0' :war
			- compile 'org.apache.tika:tika-core:1.5' :war
			- compile 'org.jsoup:jsoup:1.7.3' :war
			- test 'junit'
			# Dependencies for Selenium web page testing
			- test 'org.seleniumhq.selenium:selenium-java:${selenium.version}' @jar

			@@ -801,6 +801,17 @@
			</SOURCES>
			</library>
			</orderEntry>
			<orderEntry type="module-library">
			<library name="jsoup-1.7.3.jar">
			<CLASSES>
			<root url="jar://$MODULE_DIR$/ext/jsoup-1.7.3.jar!/" />
			</CLASSES>
			<JAVADOC />
			<SOURCES>
			<root url="jar://$MODULE_DIR$/ext/src/jsoup-1.7.3.jar!/" />
			</SOURCES>
			</library>
			</orderEntry>
			<orderEntry type="module-library" scope="TEST">
			<library name="junit-4.11.jar">
			<CLASSES>

			@@ -38,7 +38,9 @@
			import com.gitblit.transport.ssh.IPublicKeyManager;
			import com.gitblit.transport.ssh.MemoryKeyManager;
			import com.gitblit.transport.ssh.NullKeyManager;
			import com.gitblit.utils.JSoupXssFilter;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.wicket.GitBlitWebApp;

			import dagger.Module;
			@@ -54,6 +56,7 @@
			library = true,
			injects = {
			IStoredSettings.class,
			XssFilter.class,

			// core managers
			IRuntimeManager.class,
			@@ -79,8 +82,12 @@
			return new FileSettings();
			}

			@Provides @Singleton IRuntimeManager provideRuntimeManager(IStoredSettings settings) {
			return new RuntimeManager(settings);
			@Provides @Singleton XssFilter provideXssFilter() {
			return new JSoupXssFilter();
			}

			@Provides @Singleton IRuntimeManager provideRuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
			return new RuntimeManager(settings, xssFilter);
			}

			@Provides @Singleton IPluginManager providePluginManager(IRuntimeManager runtimeManager) {

			@@ -36,6 +36,8 @@
			import com.gitblit.service.FederationPullService;
			import com.gitblit.utils.FederationUtils;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Command-line client to pull federated Gitblit repositories.
			@@ -92,7 +94,8 @@
			}

			// configure the Gitblit singleton for minimal, non-server operation
			RuntimeManager runtime = new RuntimeManager(settings, baseFolder).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, baseFolder).start();
			NoopNotificationManager notifications = new NoopNotificationManager().start();
			UserManager users = new UserManager(runtime, null).start();
			RepositoryManager repositories = new RepositoryManager(runtime, null, users).start();

			@@ -39,6 +39,8 @@
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.tickets.RedisTicketService;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* A command-line tool to move all tickets from one ticket service to another.
			@@ -134,7 +136,8 @@
			settings.overrideSetting(Keys.web.activityCacheDays, 0);
			settings.overrideSetting(ITicketService.SETTING_UPDATE_DIFFSTATS, false);

			IRuntimeManager runtimeManager = new RuntimeManager(settings, baseFolder).start();
			XssFilter xssFilter = new AllowXssFilter();
			IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter, baseFolder).start();
			IRepositoryManager repositoryManager = new RepositoryManager(runtimeManager, null, null).start();

			String inputServiceName = settings.getString(Keys.tickets.service, BranchTicketService.class.getSimpleName());

			@@ -33,6 +33,8 @@
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.tickets.RedisTicketService;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* A command-line tool to reindex all tickets in all repositories when the
			@@ -126,7 +128,8 @@
			settings.overrideSetting(Keys.git.enableMirroring, false);
			settings.overrideSetting(Keys.web.activityCacheDays, 0);

			IRuntimeManager runtimeManager = new RuntimeManager(settings, baseFolder).start();
			XssFilter xssFilter = new AllowXssFilter();
			IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter, baseFolder).start();
			IRepositoryManager repositoryManager = new RepositoryManager(runtimeManager, null, null).start();

			String serviceName = settings.getString(Keys.tickets.service, BranchTicketService.class.getSimpleName());

			@@ -79,6 +79,7 @@
			import com.gitblit.transport.ssh.IPublicKeyManager;
			import com.gitblit.transport.ssh.SshKey;
			import com.gitblit.utils.ArrayUtils;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.HttpUtils;
			import com.gitblit.utils.JsonUtils;
			import com.gitblit.utils.ObjectCache;
			@@ -663,6 +664,11 @@
			return runtimeManager.getStatus();
			}

			@Override
			public XssFilter getXssFilter() {
			return runtimeManager.getXssFilter();
			}

			/*
			* NOTIFICATION MANAGER
			*/

			@@ -24,6 +24,7 @@
			import com.gitblit.IStoredSettings;
			import com.gitblit.models.ServerSettings;
			import com.gitblit.models.ServerStatus;
			import com.gitblit.utils.XssFilter;

			public interface IRuntimeManager extends IManager {

			@@ -151,4 +152,11 @@
			* @since 1.4.0
			*/
			boolean updateSettings(Map<String, String> updatedSettings);

			/**
			* Returns the HTML sanitizer used to clean user content.
			*
			* @return the HTML sanitizer
			*/
			XssFilter getXssFilter();
			}

			@@ -32,12 +32,15 @@
			import com.gitblit.models.ServerStatus;
			import com.gitblit.models.SettingModel;
			import com.gitblit.utils.StringUtils;
			import com.gitblit.utils.XssFilter;

			public class RuntimeManager implements IRuntimeManager {

			private final Logger logger = LoggerFactory.getLogger(getClass());

			private final IStoredSettings settings;

			private final XssFilter xssFilter;

			private final ServerStatus serverStatus;

			@@ -47,14 +50,15 @@

			private TimeZone timezone;

			public RuntimeManager(IStoredSettings settings) {
			this(settings, null);
			public RuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
			this(settings, xssFilter, null);
			}

			public RuntimeManager(IStoredSettings settings, File baseFolder) {
			public RuntimeManager(IStoredSettings settings, XssFilter xssFilter, File baseFolder) {
			this.settings = settings;
			this.settingsModel = new ServerSettings();
			this.serverStatus = new ServerStatus();
			this.xssFilter = xssFilter;
			this.baseFolder = baseFolder == null ? new File("") : baseFolder;
			}

			@@ -262,4 +266,15 @@
			serverStatus.heapFree = Runtime.getRuntime().freeMemory();
			return serverStatus;
			}

			/**
			* Returns the XSS filter.
			*
			* @return the XSS filter
			*/
			@Override
			public XssFilter getXssFilter() {
			return xssFilter;
			}

			}

New file
			@@ -0,0 +1,87 @@
			/*
			* Copyright 2014 gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.utils;

			import org.jsoup.Jsoup;
			import org.jsoup.nodes.Document;
			import org.jsoup.safety.Cleaner;
			import org.jsoup.safety.Whitelist;

			/**
			* Implementation of an XSS filter based on JSoup.
			*
			* @author James Moger
			*
			*/
			public class JSoupXssFilter implements XssFilter {

			private final Cleaner none;

			private final Cleaner relaxed;

			public JSoupXssFilter() {
			none = new Cleaner(Whitelist.none());
			relaxed = new Cleaner(getRelaxedWhiteList());
			}

			@Override
			public String none(String input) {
			return clean(input, none);
			}

			@Override
			public String relaxed(String input) {
			return clean(input, relaxed);
			}

			protected String clean(String input, Cleaner cleaner) {
			Document unsafe = Jsoup.parse(input);
			Document safe = cleaner.clean(unsafe);
			return safe.body().html();
			}

			/**
			* Builds & returns a loose HTML whitelist similar to Github.
			*
			* https://github.com/github/markup/tree/master#html-sanitization
			* @return a loose HTML whitelist
			*/
			protected Whitelist getRelaxedWhiteList() {
			return new Whitelist()
			.addTags(
			"a", "b", "blockquote", "br", "caption", "cite", "code", "col",
			"colgroup", "dd", "del", "div", "dl", "dt", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr",
			"i", "img", "ins", "kbd", "li", "ol", "p", "pre", "q", "samp", "small", "strike", "strong",
			"sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u",
			"ul", "var")

			.addAttributes("a", "href", "title")
			.addAttributes("blockquote", "cite")
			.addAttributes("col", "span", "width")
			.addAttributes("colgroup", "span", "width")
			.addAttributes("img", "align", "alt", "height", "src", "title", "width")
			.addAttributes("ol", "start", "type")
			.addAttributes("q", "cite")
			.addAttributes("table", "summary", "width")
			.addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
			.addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width")
			.addAttributes("ul", "type")

			.addEnforcedAttribute("a", "rel", "nofollow")
			;
			}

			}

New file
			@@ -0,0 +1,64 @@
			/*
			* Copyright 2014 gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.utils;

			/**
			* Defines the contract for an XSS filter implementation.
			*
			* @author James Moger
			*
			*/
			public interface XssFilter {

			/**
			* Returns a filtered version of the input value that contains no html
			* elements.
			*
			* @param input
			* @return a plain text value
			*/
			String none(String input);

			/**
			* Returns a filtered version of the input that contains structural html
			* elements.
			*
			* @param input
			* @return a filtered html value
			*/
			String relaxed(String input);

			/**
			* A NOOP XSS filter.
			*
			* @author James Moger
			*
			*/
			public class AllowXssFilter implements XssFilter {

			@Override
			public String none(String input) {
			return input;
			}

			@Override
			public String relaxed(String input) {
			return input;
			}

			}

			}

			@@ -46,6 +46,7 @@
			import com.gitblit.manager.IUserManager;
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.transport.ssh.IPublicKeyManager;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.wicket.pages.ActivityPage;
			import com.gitblit.wicket.pages.BlamePage;
			import com.gitblit.wicket.pages.BlobDiffPage;
			@@ -100,6 +101,8 @@

			private final IStoredSettings settings;

			private final XssFilter xssFilter;

			private final IRuntimeManager runtimeManager;

			private final IPluginManager pluginManager;
			@@ -134,6 +137,7 @@

			super();
			this.settings = runtimeManager.getSettings();
			this.xssFilter = runtimeManager.getXssFilter();
			this.runtimeManager = runtimeManager;
			this.pluginManager = pluginManager;
			this.notificationManager = notificationManager;
			@@ -308,6 +312,14 @@
			}

			/* (non-Javadoc)
			* @see com.gitblit.wicket.Webapp#xssFilter()
			*/
			@Override
			public XssFilter xssFilter() {
			return xssFilter;
			}

			/* (non-Javadoc)
			* @see com.gitblit.wicket.Webapp#isDebugMode()
			*/
			@Override

			@@ -17,6 +17,7 @@
			import com.gitblit.manager.IUserManager;
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.transport.ssh.IPublicKeyManager;
			import com.gitblit.utils.XssFilter;

			public interface GitblitWicketApp {

			@@ -30,6 +31,8 @@

			public abstract IStoredSettings settings();

			public abstract XssFilter xssFilter();

			/**
			* Is Gitblit running in debug mode?
			*

			@@ -26,6 +26,8 @@
			import com.gitblit.manager.UserManager;
			import com.gitblit.models.UserModel;
			import com.gitblit.tests.mock.MemorySettings;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Class for testing local authentication.
			@@ -42,7 +44,8 @@
			}

			IAuthenticationManager newAuthenticationManager() {
			RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(getSettings(), xssFilter, GitBlitSuite.BASEFOLDER).start();
			users = new UserManager(runtime, null).start();
			AuthenticationManager auth = new AuthenticationManager(runtime, users).start();
			return auth;

			@@ -29,6 +29,8 @@
			import com.gitblit.models.RepositoryModel;
			import com.gitblit.tickets.BranchTicketService;
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Tests the branch ticket service.
			@@ -50,8 +52,8 @@
			protected ITicketService getService(boolean deleteAll) throws Exception {

			IStoredSettings settings = getSettings(deleteAll);

			IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
			XssFilter xssFilter = new AllowXssFilter();
			IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
			IPluginManager pluginManager = new PluginManager(runtimeManager).start();
			INotificationManager notificationManager = new NotificationManager(settings).start();
			IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();

			@@ -29,6 +29,8 @@
			import com.gitblit.models.RepositoryModel;
			import com.gitblit.tickets.FileTicketService;
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Tests the file ticket service.
			@@ -49,8 +51,8 @@
			protected ITicketService getService(boolean deleteAll) throws Exception {

			IStoredSettings settings = getSettings(deleteAll);

			IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
			XssFilter xssFilter = new AllowXssFilter();
			IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
			IPluginManager pluginManager = new PluginManager(runtimeManager).start();
			INotificationManager notificationManager = new NotificationManager(settings).start();
			IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();

			@@ -32,6 +32,8 @@
			import com.gitblit.manager.UserManager;
			import com.gitblit.models.UserModel;
			import com.gitblit.tests.mock.MemorySettings;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Test the Htpasswd user service.
			@@ -74,7 +76,8 @@
			}

			private HtpasswdAuthProvider newHtpasswdAuthentication(IStoredSettings settings) {
			RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
			UserManager users = new UserManager(runtime, null).start();
			HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
			htpasswd.setup(runtime, users);
			@@ -82,7 +85,8 @@
			}

			private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
			RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
			UserManager users = new UserManager(runtime, null).start();
			HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
			htpasswd.setup(runtime, users);

			@@ -39,6 +39,8 @@
			import com.gitblit.models.TeamModel;
			import com.gitblit.models.UserModel;
			import com.gitblit.tests.mock.MemorySettings;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;
			import com.unboundid.ldap.listener.InMemoryDirectoryServer;
			import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
			import com.unboundid.ldap.listener.InMemoryListenerConfig;
			@@ -96,7 +98,8 @@
			}

			private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) {
			RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
			userManager = new UserManager(runtime, null).start();
			LdapAuthProvider ldap = new LdapAuthProvider();
			ldap.setup(runtime, userManager);
			@@ -104,7 +107,8 @@
			}

			private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
			RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
			AuthenticationManager auth = new AuthenticationManager(runtime, userManager);
			auth.addAuthenticationProvider(newLdapAuthentication(settings));
			return auth;

			@@ -34,6 +34,8 @@
			import com.gitblit.tests.mock.MemorySettings;
			import com.gitblit.utils.FileUtils;
			import com.gitblit.utils.JGitUtils;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Tests Lucene indexing and querying.
			@@ -48,7 +50,8 @@
			private LuceneService newLuceneExecutor() {
			MemorySettings settings = new MemorySettings();
			settings.put(Keys.git.repositoriesFolder, GitBlitSuite.REPOSITORIES);
			RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
			UserManager users = new UserManager(runtime, null).start();
			RepositoryManager repos = new RepositoryManager(runtime, null, users);
			return new LuceneService(settings, repos);

			@@ -30,6 +30,8 @@
			import com.gitblit.models.RepositoryModel;
			import com.gitblit.tickets.ITicketService;
			import com.gitblit.tickets.RedisTicketService;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			/**
			* Tests the Redis ticket service.
			@@ -57,8 +59,8 @@
			protected ITicketService getService(boolean deleteAll) throws Exception {

			IStoredSettings settings = getSettings(deleteAll);

			IRuntimeManager runtimeManager = new RuntimeManager(settings).start();
			XssFilter xssFilter = new AllowXssFilter();
			IRuntimeManager runtimeManager = new RuntimeManager(settings, xssFilter).start();
			IPluginManager pluginManager = new PluginManager(runtimeManager).start();
			INotificationManager notificationManager = new NotificationManager(settings).start();
			IUserManager userManager = new UserManager(runtimeManager, pluginManager).start();

			@@ -13,6 +13,8 @@
			import com.gitblit.manager.UserManager;
			import com.gitblit.models.UserModel;
			import com.gitblit.tests.mock.MemorySettings;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			public class RedmineAuthenticationTest extends GitblitUnitTest {

			@@ -25,7 +27,8 @@
			}

			RedmineAuthProvider newRedmineAuthentication(IStoredSettings settings) {
			RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();
			UserManager users = new UserManager(runtime, null).start();
			RedmineAuthProvider redmine = new RedmineAuthProvider();
			redmine.setup(runtime, users);
			@@ -37,7 +40,8 @@
			}

			AuthenticationManager newAuthenticationManager() {
			RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
			XssFilter xssFilter = new AllowXssFilter();
			RuntimeManager runtime = new RuntimeManager(getSettings(), xssFilter, GitBlitSuite.BASEFOLDER).start();
			UserManager users = new UserManager(runtime, null).start();
			RedmineAuthProvider redmine = new RedmineAuthProvider();
			redmine.setup(runtime, users);

			@@ -28,6 +28,8 @@
			import com.gitblit.models.ServerSettings;
			import com.gitblit.models.ServerStatus;
			import com.gitblit.models.SettingModel;
			import com.gitblit.utils.XssFilter;
			import com.gitblit.utils.XssFilter.AllowXssFilter;

			public class MockRuntimeManager implements IRuntimeManager {

			@@ -148,6 +150,11 @@
			}

			@Override
			public XssFilter getXssFilter() {
			return new AllowXssFilter();
			}

			@Override
			public boolean updateSettings(Map<String, String> updatedSettings) {
			return settings.saveSettings(updatedSettings);
			}