[JENKINS-32778] - Prevent extracting archived plugins outside of target path

[aviadatsnyk]

See JENKINS-32778, or details below.

Proposed changelog entries

• RFE: Ensure there is no path traversal during Jenkins plugin installation

Submitter checklist

• JIRA issue is well described
• Changelog entry appropriate for the audience affected by the change (users or developer, depending on the change).
  * Use the Internal: prefix if the change has no user-visible impact (API, test frameworks, etc.)
• Appropriate autotests or explanation to why this change has no tests
• For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Details

This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

A sample malicious zip file (see this gist) or jar file can cause arbitrary files to be written outside of the directory intended.

There are various possible ways to avoid this issue, some include checking for .. (dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path).

Stay secure,
Snyk Team

[daniel-beck]

Thanks for your contribution!

fix Jenkins plugin installation path traversal vulnerability

As I pointed out in Jira, this happens basically immediately prior to executing arbitrary code in the archive, so we don't consider this a vulnerability: No trust boundaries are crossed. We'll go with a different changelog entry that doesn't scare users unnecessarily.

(If you are aware of a different situation than JENKINS-32778 in which someone can write to paths they otherwise couldn't write to, please report it as described on https://jenkins.io/security/#reporting-vulnerabilities so we can expedite inclusion into LTS. Thanks!)

[oleg-nenashev]

It would be nice to do some exploration regarding other cases non-related to plugin manager. But it seems to be a reasonable improvement so +1

[oleg-nenashev]

@daniel-beck according to the discussion, I have recategorized this ticket as RFE and adjusted the changelog proposal. Please feel free to change