[jenkinsci/tm4j-automation-plugin] 79ad8d: vuln-fix: Zip Slip Vulnerability

Wed, 10 Aug 2022 01:09:31 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/jenkinsci/tm4j-automation-plugin
  Commit: 79ad8d6424f94c058013aa23bbd2f827e4559c63
      
https://github.com/jenkinsci/tm4j-automation-plugin/commit/79ad8d6424f94c058013aa23bbd2f827e4559c63
  Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
  Date:   2022-08-08 (Mon, 08 Aug 2022)

  Changed paths:
    M src/main/java/com/adaptavist/tm4j/jenkins/io/FileWriter.java

  Log Message:
  -----------
  vuln-fix: Zip Slip Vulnerability

This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, 
which is vulnerable to partial path traversal attacks, with the more secure 
`dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when 
using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but 
`println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory 
('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL 
(https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite 
(https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16

Co-authored-by: Moderne <t...@moderne.io>


  Commit: dc761f9a0bf2ac478a697a507ada2e6fdb9f5597
      
https://github.com/jenkinsci/tm4j-automation-plugin/commit/dc761f9a0bf2ac478a697a507ada2e6fdb9f5597
  Author: Aderibole Oluwajuwon Feyisayo <aderiboleju...@gmail.com>
  Date:   2022-08-10 (Wed, 10 Aug 2022)

  Changed paths:
    M src/main/java/com/adaptavist/tm4j/jenkins/io/FileWriter.java

  Log Message:
  -----------
  Merge pull request #50 from 
BulkSecurityGeneratorProjectV2/fix/JLL/zip-slip-vulnerability

[SECURITY] Fix Zip Slip Vulnerability


Compare: 
https://github.com/jenkinsci/tm4j-automation-plugin/compare/481b52720ce9...dc761f9a0bf2

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/tm4j-automation-plugin/push/refs/heads/master/481b52-dc761f%40github.com.
  • [jenkinsci/tm4j-automa... 'Aderibole Oluwajuwon Feyisayo' via Jenkins Commits

Reply via email to