From 26522d9fa6ff270eedef6d50887ddcba4d79c87a Mon Sep 17 00:00:00 2001 From: Devin Nusbaum Date: Wed, 16 Feb 2022 12:37:23 -0500 Subject: [PATCH 1/2] Update tests for SECURITY-2463 and SECURITY-2595 for compatibility with recent versions of Git plugin and Windows --- .../plugins/workflow/cps/CpsScmFlowDefinitionTest.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/test/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinitionTest.java b/src/test/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinitionTest.java index 47308c3e1..0b3271c1d 100644 --- a/src/test/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinitionTest.java +++ b/src/test/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinitionTest.java @@ -272,7 +272,10 @@ public class CpsScmFlowDefinitionTest { FileUtils.copyDirectory(new File(sampleRepo.getRoot(), ".git"), gitDirInSvnRepo); String jenkinsRootDir = r.jenkins.getRootDir().toString(); // Add a Git post-checkout hook to the .git folder in the SVN repo. - Files.write(gitDirInSvnRepo.toPath().resolve("hooks/post-checkout"), ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8)); + Path postCheckoutHook = gitDirInSvnRepo.toPath().resolve("hooks/post-checkout"); + // Always create hooks directory for compatibility with https://github.com/jenkinsci/git-plugin/pull/1207. + Files.createDirectories(postCheckoutHook.getParent()); + Files.write(postCheckoutHook, ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8)); sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/Jenkinsfile"); sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/.git"); sampleRepoSvn.svnkit("propset", "svn:executable", "ON", sampleRepoSvn.wc() + "/.git/hooks/post-checkout"); @@ -290,6 +293,7 @@ public class CpsScmFlowDefinitionTest { @Issue("SECURITY-2595") @Test public void scriptPathSymlinksCannotEscapeCheckoutDirectory() throws Exception { + assumeFalse(Functions.isWindows()); // On Windows, the symlink is treated as a regular file, so there is no vulnerability, but the error message is different. sampleRepo.init(); Path secrets = Paths.get(sampleRepo.getRoot().getPath(), "Jenkinsfile"); Files.createSymbolicLink(secrets, Paths.get(r.jenkins.getRootDir() + "/secrets/master.key")); From f52643be3f9898bbb58c13593aff02379fc7db5b Mon Sep 17 00:00:00 2001 From: Devin Nusbaum Date: Wed, 16 Feb 2022 15:42:02 -0500 Subject: [PATCH 2/2] Canonicalize parent path in CpsScmFlowDefinition.create in case JENKINS_HOME is a symlink --- .../jenkinsci/plugins/workflow/cps/CpsScmFlowDefinition.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinition.java b/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinition.java index 490ef12f5..7689348be 100644 --- a/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinition.java +++ b/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsScmFlowDefinition.java @@ -179,7 +179,7 @@ public boolean isLightweight() { } FilePath scriptFile = dir.child(expandedScriptPath); - if (!new File(scriptFile.getRemote()).getCanonicalFile().toPath().startsWith(dir.absolutize().getRemote())) { // TODO JENKINS-26838 + if (!new File(scriptFile.getRemote()).getCanonicalFile().toPath().startsWith(new File(dir.getRemote()).getCanonicalPath())) { // TODO JENKINS-26838 throw new IOException(scriptFile + " references a file that is not inside " + dir); } if (!scriptFile.exists()) {