Branch:
refs/heads/feature/make-our-jenkins-plugin-compatible-with-jenkins-configuration-as-code
Home: https://github.com/jenkinsci/tm4j-automation-plugin
Commit: 79ad8d6424f94c058013aa23bbd2f827e4559c63
https://github.com/jenkinsci/tm4j-automation-plugin/commit/79ad8d6424f94c058013aa23bbd2f827e4559c63
Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Date: 2022-08-08 (Mon, 08 Aug 2022)
Changed paths:
M src/main/java/com/adaptavist/tm4j/jenkins/io/FileWriter.java
Log Message:
-----------
vuln-fix: Zip Slip Vulnerability
This fixes a Zip-Slip vulnerability.
This change does one of two things. This change either
1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`,
which is vulnerable to partial path traversal attacks, with the more secure
`dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when
using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but
`println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL
(https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite
(https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>
Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16
Co-authored-by: Moderne <t...@moderne.io>
Commit: dc761f9a0bf2ac478a697a507ada2e6fdb9f5597
https://github.com/jenkinsci/tm4j-automation-plugin/commit/dc761f9a0bf2ac478a697a507ada2e6fdb9f5597
Author: Aderibole Oluwajuwon Feyisayo <aderiboleju...@gmail.com>
Date: 2022-08-10 (Wed, 10 Aug 2022)
Changed paths:
M src/main/java/com/adaptavist/tm4j/jenkins/io/FileWriter.java
Log Message:
-----------
Merge pull request #50 from
BulkSecurityGeneratorProjectV2/fix/JLL/zip-slip-vulnerability
[SECURITY] Fix Zip Slip Vulnerability
Commit: a5f1e3ed5e603751afe5cec807b067444b89d271
https://github.com/jenkinsci/tm4j-automation-plugin/commit/a5f1e3ed5e603751afe5cec807b067444b89d271
Author: Oluwajuwon Aderibole <oaderib...@paga.com>
Date: 2022-08-10 (Wed, 10 Aug 2022)
Changed paths:
M pom.xml
Log Message:
-----------
release 3.2.2
Commit: b618de712a18d1cf87e45f89dc5d3051bbbd8fca
https://github.com/jenkinsci/tm4j-automation-plugin/commit/b618de712a18d1cf87e45f89dc5d3051bbbd8fca
Author: Aderibole Oluwajuwon Feyisayo <aderiboleju...@gmail.com>
Date: 2022-08-10 (Wed, 10 Aug 2022)
Changed paths:
M pom.xml
Log Message:
-----------
Merge pull request #51 from jenkinsci/jenkinsci/release/3.2.2
release 3.2.2
Commit: 20b1e8a860be41246332aa33a0302cbe36135c52
https://github.com/jenkinsci/tm4j-automation-plugin/commit/20b1e8a860be41246332aa33a0302cbe36135c52
Author: Aderibole Oluwajuwon Feyisayo <aderiboleju...@gmail.com>
Date: 2022-08-11 (Thu, 11 Aug 2022)
Changed paths:
M pom.xml
M src/main/java/com/adaptavist/tm4j/jenkins/io/FileWriter.java
Log Message:
-----------
Merge branch 'master' into
feature/make-our-jenkins-plugin-compatible-with-jenkins-configuration-as-code
Compare:
https://github.com/jenkinsci/tm4j-automation-plugin/compare/0e48a4c79458...20b1e8a860be
--
You received this message because you are subscribed to the Google Groups
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/tm4j-automation-plugin/push/refs/heads/feature/make-our-jenkins-plugin-compatible-with-jenkins-configuration-as-code/0e48a4-20b1e8%40github.com.
