Skip to content

Commit

Permalink
Merge pull request #506 from dwnusbaum/security-fix-test-compatibility
Browse files Browse the repository at this point in the history 
Fix recent security fixes if JENKINS_HOME is a symlink and update tests for compatibility with recent versions of Git plugin and Windows
  • Loading branch information
@dwnusbaum
dwnusbaum authored Feb 17, 2022
2 parents f7ae7b7 + f52643b commit 52d3de6
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
2 changes: 1 addition & 1 deletion src/main/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinition.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ public boolean isLightweight() {
}

FilePath scriptFile = dir.child(expandedScriptPath);
if (!new File(scriptFile.getRemote()).getCanonicalFile().toPath().startsWith(dir.absolutize().getRemote())) { // TODO JENKINS-26838
if (!new File(scriptFile.getRemote()).getCanonicalFile().toPath().startsWith(new File(dir.getRemote()).getCanonicalPath())) { // TODO JENKINS-26838
throw new IOException(scriptFile + " references a file that is not inside " + dir);
}
if (!scriptFile.exists()) {
Expand Down
6 changes: 5 additions & 1 deletion src/test/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinitionTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,10 @@ public class CpsScmFlowDefinitionTest {
FileUtils.copyDirectory(new File(sampleRepo.getRoot(), ".git"), gitDirInSvnRepo);
String jenkinsRootDir = r.jenkins.getRootDir().toString();
// Add a Git post-checkout hook to the .git folder in the SVN repo.
Files.write(gitDirInSvnRepo.toPath().resolve("hooks/post-checkout"), ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8));
Path postCheckoutHook = gitDirInSvnRepo.toPath().resolve("hooks/post-checkout");
// Always create hooks directory for compatibility with https://github.com/jenkinsci/git-plugin/pull/1207.
Files.createDirectories(postCheckoutHook.getParent());
Files.write(postCheckoutHook, ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8));
sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/Jenkinsfile");
sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/.git");
sampleRepoSvn.svnkit("propset", "svn:executable", "ON", sampleRepoSvn.wc() + "/.git/hooks/post-checkout");
Expand All @@ -290,6 +293,7 @@ public class CpsScmFlowDefinitionTest {
@Issue("SECURITY-2595")
@Test
public void scriptPathSymlinksCannotEscapeCheckoutDirectory() throws Exception {
assumeFalse(Functions.isWindows()); // On Windows, the symlink is treated as a regular file, so there is no vulnerability, but the error message is different.
sampleRepo.init();
Path secrets = Paths.get(sampleRepo.getRoot().getPath(), "Jenkinsfile");
Files.createSymbolicLink(secrets, Paths.get(r.jenkins.getRootDir() + "/secrets/master.key"));
Expand Down

1 comment on commit 52d3de6

@Sam1414
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This update of checking out in a randomized directory, is also creating a new directory in case of NullSCM, i.e., for now checkout also. I'm using hudson.NullSCM class to get script from the local directory but the plugin is creating a new randomized directory every time and searching for Jenkinsfile in that directory.

Please sign in to comment.