/** * @deprecated since 2007-12-18. * Use {@link #checkPermission(hudson.security.Permission)} */ @Deprecated public static boolean adminCheck(StaplerRequest req,StaplerResponse rsp) throws IOException { if (isAdmin(req)) return true; rsp.sendError(StaplerResponse.SC_FORBIDDEN); return false; }
@RequirePOST public void doLaunchSlaveAgent(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { // this computer never returns null from channel, so // this method shall never be invoked. rsp.sendError(SC_NOT_FOUND); }
/** * Serves static resources placed along with Jelly view files. * <p> * This method can serve a lot of files, so care needs to be taken * to make this method secure. It's not clear to me what's the best * strategy here, though the current implementation is based on * file extensions. */ public void doResources(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { String path = req.getRestOfPath(); // cut off the "..." portion of /resources/.../path/to/file // as this is only used to make path unique (which in turn // allows us to set a long expiration date path = path.substring(path.indexOf('/',1)+1); int idx = path.lastIndexOf('.'); String extension = path.substring(idx+1); if(ALLOWED_RESOURCE_EXTENSIONS.contains(extension)) { URL url = pluginManager.uberClassLoader.getResource(path); if(url!=null) { long expires = MetaClass.NO_CACHE ? 0 : 365L * 24 * 60 * 60 * 1000; /*1 year*/ rsp.serveFile(req,url,expires); return; } } rsp.sendError(HttpServletResponse.SC_NOT_FOUND); }
/** * This method serves static resources in the plugin under {@code hudson/plugin/SHORTNAME}. */ public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { String path = req.getRestOfPath(); String pathUC = path.toUpperCase(Locale.ENGLISH); if (path.isEmpty() || path.contains("..") || path.startsWith(".") || path.contains("%") || pathUC.contains("META-INF") || pathUC.contains("WEB-INF") // ClassicPluginStrategy#explode produce that file to know if a new explosion is required or not || pathUC.equals("/.TIMESTAMP2") ) { LOGGER.warning("rejecting possibly malicious " + req.getRequestURIWithQueryString()); rsp.sendError(HttpServletResponse.SC_BAD_REQUEST); return; } // Stapler routes requests like the "/static/.../foo/bar/zot" to be treated like "/foo/bar/zot" // and this is used to serve long expiration header, by using Jenkins.VERSION_HASH as "..." // to create unique URLs. Recognize that and set a long expiration header. String requestPath = req.getRequestURI().substring(req.getContextPath().length()); boolean staticLink = requestPath.startsWith("/static/"); long expires = staticLink ? TimeUnit.DAYS.toMillis(365) : -1; // use serveLocalizedFile to support automatic locale selection rsp.serveLocalizedFile(req, new URL(wrapper.baseResourceURL, '.' + path), expires); }
public void doCommand(StaplerRequest req, StaplerResponse rsp) throws ServletException, IOException { final Jenkins jenkins = Jenkins.getActiveInstance(); jenkins.checkPermission(Jenkins.READ); // Strip trailing slash final String commandName = req.getRestOfPath().substring(1); CLICommand command = CLICommand.clone(commandName); if (command == null) { rsp.sendError(HttpServletResponse.SC_NOT_FOUND, "No such command"); return; } req.setAttribute("command", command); req.getView(this, "command.jelly").forward(req, rsp); }
/** * Schedules a new SCM polling command. */ @SuppressWarnings("deprecation") default void doPolling(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { if (!(this instanceof SCMTriggerItem)) { rsp.sendError(404); return; } hudson.model.BuildAuthorizationToken.checkPermission((Job) this, getAuthToken(), req, rsp); ((SCMTriggerItem) this).schedulePolling(); rsp.sendRedirect("."); }
/** * Accepts and serves the job description */ public void doDescription(StaplerRequest req, StaplerResponse rsp) throws IOException { if (req.getMethod().equals("GET")) { //read rsp.setContentType("text/plain;charset=UTF-8"); rsp.getWriter().write(Util.fixNull(this.getDescription())); return; } if (req.getMethod().equals("POST")) { checkPermission(CONFIGURE); // submission if (req.getParameter("description") != null) { this.setDescription(req.getParameter("description")); rsp.sendError(SC_NO_CONTENT); return; } } // huh? rsp.sendError(SC_BAD_REQUEST); }
/** * Exposes the bean as JSON. */ public void doJson(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { if (req.getParameter("jsonp") == null || permit(req)) { setHeaders(rsp); rsp.serveExposedBean(req,bean, req.getParameter("jsonp") == null ? Flavor.JSON : Flavor.JSONP); } else { rsp.sendError(HttpURLConnection.HTTP_FORBIDDEN, "jsonp forbidden; implement jenkins.security.SecureRequester"); } }
/** * Accepts {@code config.xml} submission, as well as serve it. */ @WebMethod(name = "config.xml") public void doConfigDotXml(StaplerRequest req, StaplerResponse rsp) throws IOException { if (req.getMethod().equals("GET")) { // read rsp.setContentType("application/xml"); writeConfigDotXml(rsp.getOutputStream()); return; } if (req.getMethod().equals("POST")) { // submission updateByXml((Source)new StreamSource(req.getReader())); return; } // huh? rsp.sendError(SC_BAD_REQUEST); }
/** * Creates a first admin user account. * * <p> * This can be run by anyone, but only to create the very first user account. */ @RequirePOST public void doCreateFirstAccount(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { if(hasSomeUser()) { rsp.sendError(SC_UNAUTHORIZED,"First user was already created"); return; } User u = createAccount(req, rsp, false, "firstUser.jelly"); if (u!=null) { tryToMakeAdmin(u); loginAndTakeBack(req, rsp, u); } }
rsp.sendError(SC_NOT_FOUND);
@RequirePOST public void doCheck(StaplerRequest req, StaplerResponse res) throws Exception { if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) { res.sendError(HttpServletResponse.SC_FORBIDDEN); return; } final Map<Source, String> issues = checkWith(new YamlSource<HttpServletRequest>(req, YamlSource.READ_FROM_REQUEST)); res.setContentType("application/json"); final JSONArray warnings = new JSONArray(); issues.entrySet().stream().map(e -> new JSONObject().accumulate("line", e.getKey().line).accumulate("warning", e.getValue())) .forEach(warnings::add); warnings.write(res.getWriter()); }
@RequirePOST public void doApply(StaplerRequest req, StaplerResponse res) throws Exception { if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) { res.sendError(HttpServletResponse.SC_FORBIDDEN); return; } configureWith(new YamlSource<HttpServletRequest>(req, YamlSource.READ_FROM_REQUEST)); }
@RequirePOST public void doReload(StaplerRequest request, StaplerResponse response) throws Exception { if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; } configure(); response.sendRedirect(""); }
rsp.sendError(HttpURLConnection.HTTP_FORBIDDEN, "primitive XPath result sets forbidden; implement jenkins.security.SecureRequester"); return;
/** * Deletes this user from Hudson. */ @RequirePOST public void doDoDelete(StaplerRequest req, StaplerResponse rsp) throws IOException { checkPermission(Jenkins.ADMINISTER); if (idStrategy().equals(id, Jenkins.getAuthentication().getName())) { rsp.sendError(HttpServletResponse.SC_BAD_REQUEST, "Cannot delete self"); return; } delete(); rsp.sendRedirect2("../.."); }
/** * Accepts {@code config.xml} submission, as well as serve it. */ @WebMethod(name = "config.xml") public void doConfigDotXml(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException { if (req.getMethod().equals("GET")) { // read checkPermission(EXTENDED_READ); rsp.setContentType("application/xml"); Node node = getNode(); if (node == null) { throw HttpResponses.notFound(); } Jenkins.XSTREAM2.toXMLUTF8(node, rsp.getOutputStream()); return; } if (req.getMethod().equals("POST")) { // submission updateByXml(req.getInputStream()); return; } // huh? rsp.sendError(SC_BAD_REQUEST); }
/** * Do a finger-print check. */ @RequirePOST public void doDoFingerprintCheck( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException { // Parse the request try (MultipartFormDataParser p = new MultipartFormDataParser(req)) { if (isUseCrumbs() && !getCrumbIssuer().validateCrumb(req, p)) { // TODO investigate whether this check can be removed rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "No crumb found"); } rsp.sendRedirect2(req.getContextPath()+"/fingerprint/"+ Util.getDigestOf(p.getFileItem("name").getInputStream())+'/'); } }
@RequirePOST public void doReplace(StaplerRequest request, StaplerResponse response) throws Exception { if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return;
/** * Export live jenkins instance configuration as Yaml * @throws Exception */ @RequirePOST public void doExport(StaplerRequest req, StaplerResponse res) throws Exception { if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) { res.sendError(HttpServletResponse.SC_FORBIDDEN); return; } res.setContentType("application/x-yaml; charset=utf-8"); res.addHeader("Content-Disposition", "attachment; filename=jenkins.yaml"); export(res.getOutputStream()); }