com.rapid7.sdlc.plugin.jenkins.report

Class SafeArchiveServingAction

java.lang.Object

com.rapid7.sdlc.plugin.jenkins.report.AssessmentReportBaseAction

com.rapid7.sdlc.plugin.jenkins.report.SafeArchiveServingAction

All Implemented Interfaces:

hudson.model.Action, hudson.model.ModelObject

Direct Known Subclasses:

AssessmentReportRunAction

public class SafeArchiveServingAction
extends AssessmentReportBaseAction

This class implements a solution to serving various reports using JavaScript, Flash, etc. from Jenkins. By default, Jenkins serves static files using a restrictive Content-Security-Policy header to prevent malicious users from attacking other users of Jenkins by having Jenkins serve them maliciously manipulated files. This presents an obstacle to plugins that wish to archive known safe reports in HTML format and have Jenkins serve them. Examples include the Maven Site functionality in Maven Plugin, or the Javadoc Plugin. This class implements a safe alternative to serving files from DirectoryBrowserSupport: This action, when first attached, scans the specified directory and records all files' checksums. When later asked to serve files, it compares the actual and expected checksums, and only serves matching files.

Field Summary

Fields inherited from class com.rapid7.sdlc.plugin.jenkins.report.AssessmentReportBaseAction

BASE_DIR, ICON_DIR, REPORT_PAGE

Constructor Summary

Constructors

Constructor and Description
SafeArchiveServingAction(File rootDir, String urlName, String indexFile, String... safeExtensions) Create a safe archive serving action.

Method Summary

Modifier and Type	Method and Description
org.kohsuke.stapler.HttpResponse	doDynamic(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
File	getRootDir()
String	getUrlName()
void	processDirectory() Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.

Methods inherited from class com.rapid7.sdlc.plugin.jenkins.report.AssessmentReportBaseAction

getDisplayName, getIconFileName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SafeArchiveServingAction

public SafeArchiveServingAction(File rootDir,
                                String urlName,
                                String indexFile,
                                String... safeExtensions)

Create a safe archive serving action.

Parameters:

rootDir - The root directory to be served by this action

urlName - The URL name used for this action

indexFile - The file name of the index file to be served when accessing the urlName URL

safeExtensions - The file extensions to be skipped from checksum recording and verification. These are file types whose unauthorized modification does not constitute a risk to users when viewed in a web browser. This should be resource file extensions like "gif" or "png" or file extensions of files not viewed in a browser like "zip" or "gz". Never specify file types possibly containing scripts or other possibly malicious data that can exploit users' browsers (html, js, swf, css, …).

Method Detail

processDirectory

public void processDirectory()
                      throws NoSuchAlgorithmException,
                             IOException

Record the checksums of files in the specified directory and its descendants unless a file type is whitelisted as safe.

Throws:

NoSuchAlgorithmException

IOException

getUrlName

public String getUrlName()

Specified by:

getUrlName in interface hudson.model.Action

Overrides:

getUrlName in class AssessmentReportBaseAction

getRootDir

public File getRootDir()

doDynamic

public org.kohsuke.stapler.HttpResponse doDynamic(org.kohsuke.stapler.StaplerRequest req,
                                                  org.kohsuke.stapler.StaplerResponse rsp)
                                           throws IOException

Throws:

IOException