[jenkinsci/git-client-plugin] 8db228: vuln-fix: Zip Slip Vulnerability

Fri, 29 Jul 2022 21:38:54 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/jenkinsci/git-client-plugin
  Commit: 8db2283a90562385713a2cafa3175c1241bcd587
      
https://github.com/jenkinsci/git-client-plugin/commit/8db2283a90562385713a2cafa3175c1241bcd587
  Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
  Date:   2022-07-30 (Sat, 30 Jul 2022)

  Changed paths:
    M src/test/java/org/jenkinsci/plugins/gitclient/GitAPITestCase.java

  Log Message:
  -----------
  vuln-fix: Zip Slip Vulnerability

This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, 
which is vulnerable to partial path traversal attacks, with the more secure 
`dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when 
using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but 
`println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory 
('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL 
(https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite 
(https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16

Co-authored-by: Moderne <t...@moderne.io>


  Commit: 47d113b2905edd812ded554485e53f3e7191ed1a
      
https://github.com/jenkinsci/git-client-plugin/commit/47d113b2905edd812ded554485e53f3e7191ed1a
  Author: Mark Waite <mark.earl.wa...@gmail.com>
  Date:   2022-07-29 (Fri, 29 Jul 2022)

  Changed paths:
    M src/test/java/org/jenkinsci/plugins/gitclient/GitAPITestCase.java

  Log Message:
  -----------
  Merge pull request #883 from 
BulkSecurityGeneratorProjectV2/fix/JLL/zip-slip-vulnerability

[SECURITY] Fix Zip Slip Vulnerability


Compare: 
https://github.com/jenkinsci/git-client-plugin/compare/77bbeeed3b16...47d113b2905e

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/git-client-plugin/push/refs/heads/master/77bbee-47d113%40github.com.

Reply via email to