Package net.masterthought.jenkins
Class SafeArchiveServingAction
- java.lang.Object
-
- net.masterthought.jenkins.SafeArchiveServingAction
-
- All Implemented Interfaces:
Action
,ModelObject
- Direct Known Subclasses:
SafeArchiveServingRunAction
public class SafeArchiveServingAction extends Object implements Action
This class implements a solution to serving various reports using JavaScript, Flash, etc. from Jenkins. By default, Jenkins serves static files using a restrictive Content-Security-Policy header to prevent malicious users from attacking other users of Jenkins by having Jenkins serve them maliciously manipulated files. This presents an obstacle to plugins that wish to archive known safe reports in HTML format and have Jenkins serve them. Examples include the Maven Site functionality in Maven Plugin, or the Javadoc Plugin. This class implements a safe alternative to serving files from DirectoryBrowserSupport: This action, when first attached, scans the specified directory and records all files' checksums. When later asked to serve files, it compares the actual and expected checksums, and only serves matching files.
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description org.kohsuke.stapler.HttpResponse
doDynamic(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
String
getDisplayName()
String
getIconFileName()
File
getRootDir()
String
getUrlName()
void
processDirectory()
Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.
-
-
-
Constructor Detail
-
SafeArchiveServingAction
public SafeArchiveServingAction(File rootDir, String urlName, String indexFile, String iconName, String title, String... safeExtensions)
Create a safe archive serving action.- Parameters:
rootDir
- The root directory to be served by this actionurlName
- The URL name used for this actionindexFile
- The file name of the index file to be served when accessing the urlName URLiconName
- The icon used for the action in the side paneltitle
- The title of this action in the side panelsafeExtensions
- The file extensions to be skipped from checksum recording and verification. These are file types whose unauthorized modification does not constitute a risk to users when viewed in a web browser. This should be resource file extensions like "gif" or "png" or file extensions of files not viewed in a browser like "zip" or "gz". Never specify file types possibly containing scripts or other possibly malicious data that can exploit users' browsers (html, js, swf, css, …).
-
-
Method Detail
-
processDirectory
public void processDirectory() throws NoSuchAlgorithmException, IOException
Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.- Throws:
NoSuchAlgorithmException
- when the platform does unexpectedly not support SHA-1IOException
- when the file or directory for specified file could not be created
-
getIconFileName
public String getIconFileName()
- Specified by:
getIconFileName
in interfaceAction
-
getDisplayName
public String getDisplayName()
- Specified by:
getDisplayName
in interfaceAction
- Specified by:
getDisplayName
in interfaceModelObject
-
getUrlName
public String getUrlName()
- Specified by:
getUrlName
in interfaceAction
-
getRootDir
public File getRootDir()
-
doDynamic
public org.kohsuke.stapler.HttpResponse doDynamic(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp) throws IOException, javax.servlet.ServletException
- Throws:
IOException
javax.servlet.ServletException
-
-