jetty-webapp-verifier/src/main/java/org/eclipse/jetty/webapp/verifier/rules/NoSourceControlRule.java

// ========================================================================
// Copyright (c) Webtide LLC
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at 
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.apache.org/licenses/LICENSE-2.0.txt
//
// You may elect to redistribute this code under either of these licenses. 
// ========================================================================
package org.eclipse.jetty.webapp.verifier.rules;

import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;

import org.eclipse.jetty.webapp.verifier.AbstractArchiveScanningRule;

/**
 * Prevent inclusion of Source Control files & directories that might reveal hostnames, userids, and passwords to the
 * source control. (CVS, .svn/, .git/)
 */
public class NoSourceControlRule extends AbstractArchiveScanningRule
{
    class ScmName
    {
        String scm;
        String name;

        public ScmName(String scm, String name)
        {
            this.scm = scm;
            this.name = name;
        }
    }

    private static List<ScmName> scmDirNames = new ArrayList<ScmName>();
    private static List<ScmName> scmFileNames = new ArrayList<ScmName>();

    public NoSourceControlRule()
    {
        super();

        // The order of patterns is most likely to least likely

        scmDirNames.add(new ScmName("Subversion",".svn")); // Standard Unix format
        scmDirNames.add(new ScmName("Subversion","_svn")); // Alternate Windows format
        scmDirNames.add(new ScmName("CVS","CVS"));
        scmFileNames.add(new ScmName("CVS",".cvsignore"));
        scmDirNames.add(new ScmName("Git",".git"));
        scmFileNames.add(new ScmName("Git",".gitignore"));
        scmDirNames.add(new ScmName("RCS","RCS"));
        scmDirNames.add(new ScmName("SCCS","SCCS"));
        scmFileNames.add(new ScmName("Visual SourceSafe","vssver.scc"));
        scmDirNames.add(new ScmName("Arch",".arch-ids"));
        scmDirNames.add(new ScmName("Bazaar",".bzr"));
        scmFileNames.add(new ScmName("SurroundSCM",".MySCMServerInfo"));
        scmDirNames.add(new ScmName("Mercurial",".hg"));
        scmDirNames.add(new ScmName("BitKeeper","BitKeeper"));
        scmDirNames.add(new ScmName("BitKeeper","ChangeSet"));
        scmDirNames.add(new ScmName("Darcs","_darcs"));
        scmDirNames.add(new ScmName("Darcs",".darcsrepo"));
        scmFileNames.add(new ScmName("Darcs",".darcs-temp-mail"));
    }

    @Override
    public String getDescription()
    {
        return "Prevent inclusion of source control files in webapp";
    }

    @Override
    public String getName()
    {
        return "no-source-control";
    }

    @Override
    public void visitDirectoryStart(String path, File dir)
    {
        for (ScmName scmName : scmDirNames)
        {
            if (dir.getName().equalsIgnoreCase(scmName.name))
            {
                error(path,scmName.scm + " Source Control directories are not allowed");
            }
        }
    }

    @Override
    public void visitFile(String path, File dir, File file)
    {
        for (ScmName scmName : scmFileNames)
        {
            if (file.getName().equalsIgnoreCase(scmName.name))
            {
                error(path,scmName.scm + " Source Control file are not allowed");
            }
        }
    }

    @Override
    public void visitArchiveResource(String path, ZipFile zip, ZipEntry entry)
    {
        String basename = toBaseName(entry);

        if (entry.isDirectory())
        {
            for (ScmName scmName : scmDirNames)
            {
                if (basename.equalsIgnoreCase(scmName.name))
                {
                    error(path,scmName.scm + " Source Control directories are not allowed");
                }
            }
        }
        else
        {
            for (ScmName scmName : scmFileNames)
            {
                if (basename.equalsIgnoreCase(scmName.name))
                {
                    error(path,scmName.scm + " Source Control file are not allowed");
                }
            }
        }
    }

    private String toBaseName(ZipEntry entry)
    {
        String name =entry.getName();
        if (name.endsWith("/"))
        {
            name = name.substring(0,name.length() - 1);
        }

        int idx = name.lastIndexOf('/');
        if (idx >= 0)
        {
            return name.substring(idx + 1);
        }
        return name;
    }
}