Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-32778] - Prevent extracting archived plugins outside of target path #3402

Merged
merged 1 commit into from
May 5, 2018

Conversation

aviadatsnyk
Copy link
Contributor

@aviadatsnyk aviadatsnyk commented Apr 23, 2018

See JENKINS-32778, or details below.

Proposed changelog entries

  • RFE: Ensure there is no path traversal during Jenkins plugin installation

Submitter checklist

  • JIRA issue is well described
  • Changelog entry appropriate for the audience affected by the change (users or developer, depending on the change).
    * Use the Internal: prefix if the change has no user-visible impact (API, test frameworks, etc.)
  • Appropriate autotests or explanation to why this change has no tests
  • For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Details

This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

A sample malicious zip file (see this gist) or jar file can cause arbitrary files to be written outside of the directory intended.

There are various possible ways to avoid this issue, some include checking for .. (dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path).

Stay secure,
Snyk Team

@aviadatsnyk aviadatsnyk force-pushed the fix/zip-slip branch 2 times, most recently from caeb5c2 to 7f81cb3 Compare April 23, 2018 10:20
@daniel-beck
Copy link
Member

Thanks for your contribution!

fix Jenkins plugin installation path traversal vulnerability

As I pointed out in Jira, this happens basically immediately prior to executing arbitrary code in the archive, so we don't consider this a vulnerability: No trust boundaries are crossed. We'll go with a different changelog entry that doesn't scare users unnecessarily.

(If you are aware of a different situation than JENKINS-32778 in which someone can write to paths they otherwise couldn't write to, please report it as described on https://jenkins.io/security/#reporting-vulnerabilities so we can expedite inclusion into LTS. Thanks!)

Copy link
Member

@oleg-nenashev oleg-nenashev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to do some exploration regarding other cases non-related to plugin manager. But it seems to be a reasonable improvement so +1

@oleg-nenashev oleg-nenashev added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Apr 27, 2018
@oleg-nenashev oleg-nenashev requested a review from daniel-beck May 3, 2018 09:58
@oleg-nenashev oleg-nenashev changed the title fix: prevent extracting archived plugins outside of target path [JENKINS-32778] - Prevent extracting archived plugins outside of target path May 5, 2018
@oleg-nenashev oleg-nenashev merged commit 8ede533 into jenkinsci:master May 5, 2018
@oleg-nenashev
Copy link
Member

@daniel-beck according to the discussion, I have recategorized this ticket as RFE and adjusted the changelog proposal. Please feel free to change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants