Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS attach for published artifacts
  • Loading branch information
robinshine committed May 31, 2022
1 parent f2334ba commit adb6e31
Showing 1 changed file with 3 additions and 9 deletions.
@@ -1,6 +1,5 @@
package io.onedev.server.web.resource;

import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
Expand All @@ -16,6 +15,7 @@

import org.apache.shiro.authz.UnauthorizedException;
import org.apache.tika.io.IOUtils;
import org.apache.tika.mime.MimeTypes;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.request.resource.AbstractResource;

Expand All @@ -30,7 +30,6 @@
import io.onedev.server.model.Build;
import io.onedev.server.model.Project;
import io.onedev.server.security.SecurityUtils;
import io.onedev.server.util.ContentDetector;

public class ArtifactResource extends AbstractResource {

Expand Down Expand Up @@ -85,20 +84,15 @@ protected ResourceResponse newResourceResponse(Attributes attributes) {
}

ResourceResponse response = new ResourceResponse();
try (InputStream is = new BufferedInputStream(new FileInputStream(artifactFile))) {
response.setContentType(ContentDetector.detectMediaType(is, artifactPath).toString());
} catch (Exception e) {
throw new RuntimeException(e);
}

response.getHeaders().addHeader("X-Content-Type-Options", "nosniff");
response.setContentType(MimeTypes.OCTET_STREAM);
response.disableCaching();

try {
response.setFileName(URLEncoder.encode(artifactFile.getName(), StandardCharsets.UTF_8.name()));
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}

response.setContentLength(artifactFile.length());

response.setWriteCallback(new WriteCallback() {
Expand Down

0 comments on commit adb6e31

Please sign in to comment.