Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backporting for LTS 2.303.1 #5659

Merged
merged 6 commits into from
Aug 12, 2021
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .mvn/maven.config
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
-Pconsume-incrementals
-Pmight-produce-incrementals
-Plts-release
2 changes: 1 addition & 1 deletion core/src/main/java/hudson/FilePath.java
Original file line number Diff line number Diff line change
Expand Up @@ -697,7 +697,7 @@ private void unzip(File dir, File zipFile) throws IOException {
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(dir, e.getName());
if (!f.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
if (!f.getCanonicalFile().toPath().startsWith(dir.getCanonicalPath())) {
throw new IOException(
"Zip " + zipFile.getPath() + " contains illegal file name that breaks out of the target directory: " + e.getName());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
import hudson.model.AdministrativeMonitor;
import hudson.security.Permission;
import jenkins.model.Jenkins;
import jenkins.util.SystemProperties;
import jenkins.util.java.JavaUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
Expand All @@ -46,9 +47,11 @@
@Symbol("javaVersionRecommendation")
public class JavaVersionRecommendationAdminMonitor extends AdministrativeMonitor {

private static Boolean disabled = SystemProperties.getBoolean(JavaVersionRecommendationAdminMonitor.class.getName() + ".disabled", false);

@Override
public boolean isActivated() {
return JavaUtils.isRunningWithJava8OrBelow();
return !disabled && JavaUtils.isRunningWithJava8OrBelow();
}

@Override
Expand Down
4 changes: 2 additions & 2 deletions core/src/main/resources/lib/layout/icon.jelly
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@ THE SOFTWARE.

<span class="build-status-icon__wrapper ${attrs.class}" style="${imgStyle}">
<span class="build-status-icon__outer">
<l:svgIcon href="${rootURL}/images/build-status/build-status-sprite.svg#${outerLayer}" id="${attrs.id}" />
<l:svgIcon href="${rootURL}/images/build-status/build-status-sprite.svg#${outerLayer}" id="${attrs.id}" tooltip="${attrs.tooltip}"/>
</span>
<l:svgIcon class="${attrs.class}" href="${iconSrc}" id="${attrs.id}"/>
<l:svgIcon class="${attrs.class}" href="${iconSrc}" id="${attrs.id}" tooltip="${attrs.tooltip}"/>
</span>
</j:when>

Expand Down
2 changes: 1 addition & 1 deletion packaging-ref.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
master
stable-2.302
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ THE SOFTWARE.
</issueManagement>

<properties>
<revision>2.303</revision>
<revision>2.302.1</revision>
<changelist>-SNAPSHOT</changelist>

<!-- *.html files are in UTF-8, and *.properties are in iso-8859-1, so this configuration is actually incorrect,
Expand Down
59 changes: 59 additions & 0 deletions test/src/test/java/hudson/FilePathTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -222,4 +222,63 @@ public void zipTarget_relative() throws Exception {
assertThat(simple1.exists(), is(true));
assertThat(simple2.exists(), is(true));
}

@Test
@Issue("JENKINS-66094")
@LocalData("ZipSlipSamePathPrefix")
public void zipSlipSamePathPrefix() throws Exception {
assumeFalse(Functions.isWindows());

// > unzip -l evil.zip
// good.txt
// ../foo_evil.txt
FilePath zipFile = r.jenkins.getRootPath().child("evil.zip");

// foo_evil.txt will be extracted to unzip-target/foo_evil.txt
// which has the same path prefix as unzip-target/foo
FilePath targetLocationParent = r.jenkins.getRootPath().child("unzip-target");
FilePath targetLocationFoo = targetLocationParent.child("foo");
FilePath evilEntry = targetLocationParent.child("foo_evil.txt");

assertThat(evilEntry.exists(), is(false));

try {
zipFile.unzip(targetLocationFoo);
fail("The ../foo_evil.txt should have triggered an exception");
} catch(IOException e){
e.printStackTrace();
assertThat(e.getMessage(), containsString("contains illegal file name that breaks out of the target directory"));
}

assertThat(evilEntry.exists(), is(false));
}

@Test
@Issue("JENKINS-66094")
@LocalData("ZipSlipSamePathPrefix")
public void zipSlipSamePathPrefixWin() throws Exception {
assumeTrue(Functions.isWindows());

// > unzip -l evil-win.zip
// good.txt
// ..\foo_evil.txt
FilePath zipFile = r.jenkins.getRootPath().child("evil-win.zip");

// foo_evil.txt will be extracted to unzip-target\foo_evil.txt
// which has the same path prefix as unzip-target\foo
FilePath targetLocationParent = r.jenkins.getRootPath().child("unzip-target");
FilePath targetLocationFoo = targetLocationParent.child("foo");
FilePath evilEntry = targetLocationParent.child("foo_evil.txt");

assertThat(evilEntry.exists(), is(false));

try {
zipFile.unzip(targetLocationFoo);
fail("The ../foo_evil.txt should have triggered an exception");
} catch(IOException e){
assertThat(e.getMessage(), containsString("contains illegal file name that breaks out of the target directory"));
}

assertThat(evilEntry.exists(), is(false));
}
}
Binary file not shown.
Binary file not shown.