Package net.masterthought.jenkins

Class SafeArchiveServingAction

java.lang.Object

net.masterthought.jenkins.SafeArchiveServingAction

All Implemented Interfaces:

Action, ModelObject

Direct Known Subclasses:

SafeArchiveServingRunAction

public class SafeArchiveServingAction
extends Object
implements Action

This class implements a solution to serving various reports using JavaScript, Flash, etc. from Jenkins. By default, Jenkins serves static files using a restrictive Content-Security-Policy header to prevent malicious users from attacking other users of Jenkins by having Jenkins serve them maliciously manipulated files. This presents an obstacle to plugins that wish to archive known safe reports in HTML format and have Jenkins serve them. Examples include the Maven Site functionality in Maven Plugin, or the Javadoc Plugin. This class implements a safe alternative to serving files from DirectoryBrowserSupport: This action, when first attached, scans the specified directory and records all files' checksums. When later asked to serve files, it compares the actual and expected checksums, and only serves matching files.

Constructor Summary

Constructors

Constructor	Description
SafeArchiveServingAction(File rootDir, String urlName, String indexFile, String iconName, String title, String... safeExtensions)	Create a safe archive serving action.

Method Summary

Modifier and Type	Method	Description
org.kohsuke.stapler.HttpResponse	doDynamic(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
String	getDisplayName()
String	getIconFileName()
File	getRootDir()
String	getUrlName()
void	processDirectory()	Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SafeArchiveServingAction

public SafeArchiveServingAction(File rootDir,
 String urlName,
 String indexFile,
 String iconName,
 String title,
 String... safeExtensions)

Create a safe archive serving action.

Parameters:

rootDir - The root directory to be served by this action

urlName - The URL name used for this action

indexFile - The file name of the index file to be served when accessing the urlName URL

iconName - The icon used for the action in the side panel

title - The title of this action in the side panel

safeExtensions - The file extensions to be skipped from checksum recording and verification. These are file types whose unauthorized modification does not constitute a risk to users when viewed in a web browser. This should be resource file extensions like "gif" or "png" or file extensions of files not viewed in a browser like "zip" or "gz". Never specify file types possibly containing scripts or other possibly malicious data that can exploit users' browsers (html, js, swf, css, …).

Method Details

processDirectory

public void processDirectory()
                      throws NoSuchAlgorithmException,
IOException

Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.

Throws:

NoSuchAlgorithmException - when the platform does unexpectedly not support SHA-1

IOException - when the file or directory for specified file could not be created

getIconFileName

public String getIconFileName()

Specified by:

getIconFileName in interface Action

getDisplayName

public String getDisplayName()

Specified by:

getDisplayName in interface Action

Specified by:

getDisplayName in interface ModelObject

getUrlName

public String getUrlName()

Specified by:

getUrlName in interface Action

getRootDir

public File getRootDir()

doDynamic

public org.kohsuke.stapler.HttpResponse doDynamic(org.kohsuke.stapler.StaplerRequest req,
 org.kohsuke.stapler.StaplerResponse rsp)
                                           throws IOException,
javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException