vuln-fix: Partial Path Traversal Vulnerability (#10)

jenkinsci · Aug 8, 2022 · 7b9517b · 7b9517b
1 parent fe24abe
commit 7b9517b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java b/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java
@@ -201,7 +201,7 @@ private FormValidation doCheckTestFrameWorkPath(String value) {
             }
             try {
                 File file = new File(basePath, value);
-                if (file.getCanonicalPath().startsWith(basePath)) {
+                if (file.getCanonicalFile().toPath().startsWith(basePath)) {
                     return FormValidation.ok();
                 }
             } catch (IOException e) {

diff --git a/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java b/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java
@@ -98,7 +98,7 @@ private AttachmentModel addAttachments(ParameterModel parameter, String jwtToken
         for (String s : logDir) {
             String trimPath = s.trim();
             File file = new File(workspaceBasePath, trimPath);
-            if (!StringUtils.isBlank(trimPath) && file.getCanonicalPath().startsWith(workspaceBasePath)) {
+            if (!StringUtils.isBlank(trimPath) && file.getCanonicalFile().toPath().startsWith(workspaceBasePath)) {
                 String logPath = file.getAbsolutePath();
                 AttachmentModel reportFiles = attachLogFiles(buildTriggerTime, workspaceBasePath, logPath, issueKey, jwtToken, "", "Other Files", true);
                 uploadedFileNames.addAll(reportFiles.getAttachments());