Skip to content

[JENKINS-32778] - Prevent extracting archived plugins outside of target path#3402

Merged
oleg-nenashev merged 1 commit into
jenkinsci:masterfrom
aviadatsnyk:fix/zip-slip
May 5, 2018
Merged

[JENKINS-32778] - Prevent extracting archived plugins outside of target path#3402
oleg-nenashev merged 1 commit into
jenkinsci:masterfrom
aviadatsnyk:fix/zip-slip

Conversation

@aviadatsnyk

@aviadatsnyk aviadatsnyk commented Apr 23, 2018

Copy link
Copy Markdown
Contributor

See JENKINS-32778, or details below.

Proposed changelog entries

  • RFE: Ensure there is no path traversal during Jenkins plugin installation

Submitter checklist

  • JIRA issue is well described
  • Changelog entry appropriate for the audience affected by the change (users or developer, depending on the change).
    * Use the Internal: prefix if the change has no user-visible impact (API, test frameworks, etc.)
  • Appropriate autotests or explanation to why this change has no tests
  • For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Details

This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

A sample malicious zip file (see this gist) or jar file can cause arbitrary files to be written outside of the directory intended.

There are various possible ways to avoid this issue, some include checking for .. (dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path).

Stay secure,
Snyk Team

@aviadatsnyk
aviadatsnyk force-pushed the fix/zip-slip branch 2 times, most recently from caeb5c2 to 7f81cb3 Compare April 23, 2018 10:20
@daniel-beck

Copy link
Copy Markdown
Member

Thanks for your contribution!

fix Jenkins plugin installation path traversal vulnerability

As I pointed out in Jira, this happens basically immediately prior to executing arbitrary code in the archive, so we don't consider this a vulnerability: No trust boundaries are crossed. We'll go with a different changelog entry that doesn't scare users unnecessarily.

(If you are aware of a different situation than JENKINS-32778 in which someone can write to paths they otherwise couldn't write to, please report it as described on https://jenkins.io/security/#reporting-vulnerabilities so we can expedite inclusion into LTS. Thanks!)

@oleg-nenashev oleg-nenashev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to do some exploration regarding other cases non-related to plugin manager. But it seems to be a reasonable improvement so +1

@oleg-nenashev oleg-nenashev added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Apr 27, 2018
@oleg-nenashev
oleg-nenashev requested a review from daniel-beck May 3, 2018 09:58
@oleg-nenashev oleg-nenashev changed the title fix: prevent extracting archived plugins outside of target path [JENKINS-32778] - Prevent extracting archived plugins outside of target path May 5, 2018
@oleg-nenashev
oleg-nenashev merged commit 8ede533 into jenkinsci:master May 5, 2018
@oleg-nenashev

Copy link
Copy Markdown
Member

@daniel-beck according to the discussion, I have recategorized this ticket as RFE and adjusted the changelog proposal. Please feel free to change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants