[JENKINS-32778] - Prevent extracting archived plugins outside of target path#3402
Conversation
caeb5c2 to
7f81cb3
Compare
|
Thanks for your contribution!
As I pointed out in Jira, this happens basically immediately prior to executing arbitrary code in the archive, so we don't consider this a vulnerability: No trust boundaries are crossed. We'll go with a different changelog entry that doesn't scare users unnecessarily. (If you are aware of a different situation than JENKINS-32778 in which someone can write to paths they otherwise couldn't write to, please report it as described on https://jenkins.io/security/#reporting-vulnerabilities so we can expedite inclusion into LTS. Thanks!) |
7f81cb3 to
509035e
Compare
oleg-nenashev
left a comment
There was a problem hiding this comment.
It would be nice to do some exploration regarding other cases non-related to plugin manager. But it seems to be a reasonable improvement so +1
|
@daniel-beck according to the discussion, I have recategorized this ticket as RFE and adjusted the changelog proposal. Please feel free to change |
See JENKINS-32778, or details below.
Proposed changelog entries
Submitter checklist
* Use the
Internal:prefix if the change has no user-visible impact (API, test frameworks, etc.)For dependency updates: links to external changelogs and, if possible, full diffsDesired reviewers
@mention
Details
This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
A sample malicious zip file (see this gist) or jar file can cause arbitrary files to be written outside of the directory intended.
There are various possible ways to avoid this issue, some include checking for
..(dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path).Stay secure,
Snyk Team