From 7b9517b6b20245bcda2bd2f4c8c7a4ae43e8f347 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Mon, 8 Aug 2022 08:48:55 -0400 Subject: [PATCH] vuln-fix: Partial Path Traversal Vulnerability (#10) --- .../java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java | 2 +- .../org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java b/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java index 5669e8d..ec0d678 100644 --- a/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java +++ b/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java @@ -201,7 +201,7 @@ private FormValidation doCheckTestFrameWorkPath(String value) { } try { File file = new File(basePath, value); - if (file.getCanonicalPath().startsWith(basePath)) { + if (file.getCanonicalFile().toPath().startsWith(basePath)) { return FormValidation.ok(); } } catch (IOException e) { diff --git a/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java b/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java index 885d504..c39813e 100644 --- a/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java +++ b/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java @@ -98,7 +98,7 @@ private AttachmentModel addAttachments(ParameterModel parameter, String jwtToken for (String s : logDir) { String trimPath = s.trim(); File file = new File(workspaceBasePath, trimPath); - if (!StringUtils.isBlank(trimPath) && file.getCanonicalPath().startsWith(workspaceBasePath)) { + if (!StringUtils.isBlank(trimPath) && file.getCanonicalFile().toPath().startsWith(workspaceBasePath)) { String logPath = file.getAbsolutePath(); AttachmentModel reportFiles = attachLogFiles(buildTriggerTime, workspaceBasePath, logPath, issueKey, jwtToken, "", "Other Files", true); uploadedFileNames.addAll(reportFiles.getAttachments());