Skip to content

Commit

Permalink
[SECURITY-3205]
Browse files Browse the repository at this point in the history
  • Loading branch information
mtughan committed Dec 12, 2023
1 parent 6a89fd4 commit bfa9b30
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -332,7 +332,12 @@ public HttpResponse doRemoveScript(StaplerRequest res, StaplerResponse rsp, @Que
checkPermission(ScriptlerPermissions.CONFIGURE);

// remove the file
File oldScript = new File(getScriptDirectory(), id);
File scriptDirectory = getScriptDirectory();
File oldScript = new File(scriptDirectory, id);
if (!Util.isDescendant(scriptDirectory, oldScript)) {
LOGGER.log(Level.WARNING, "Folder traversal detected, file path received: {0}, after fixing: {1}", new Object[]{id, oldScript});
throw new Failure("Invalid file path received: " + id);
}
if(!oldScript.delete() && oldScript.exists()) {
throw new Failure("not able to delete " + oldScript.getAbsolutePath());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;

import java.net.URL;
import java.util.Collections;
import org.htmlunit.HttpMethod;
import org.htmlunit.WebRequest;
import org.htmlunit.html.*;
//import org.htmlunit.javascript.host.URL;
import hudson.ExtensionList;
Expand All @@ -18,9 +22,11 @@
import java.util.List;

import org.apache.commons.fileupload.FileItem;
import org.htmlunit.util.NameValuePair;
import org.jenkinsci.plugins.scriptler.ScriptlerManagementHelper;
import org.jenkinsci.plugins.scriptler.ScriptlerManagement;
import org.jenkinsci.plugins.scriptler.config.Parameter;
import org.jenkinsci.plugins.scriptler.config.ScriptlerConfiguration;
import org.junit.*;
import org.jvnet.hudson.test.BuildWatcher;
import org.jvnet.hudson.test.Issue;
Expand Down Expand Up @@ -127,4 +133,29 @@ public void testUnknownScript() throws Exception {
JenkinsRule.WebClient webClient = j.createWebClient();
webClient.goTo("scriptler/runScript?id=unknown.groovy");
}

@Test
@Issue("SECURITY-3205")
public void fixFolderTraversalThroughDeleteScript() throws Exception {
File configurationFile = ScriptlerConfiguration.getXmlFile().getFile();
String path = "../" + configurationFile.getName();

try (JenkinsRule.WebClient webClient = j.createWebClient()) {
URL rootUrl = new URL(webClient.getContextPath() + "scriptler/removeScript");
WebRequest req = new WebRequest(rootUrl, HttpMethod.POST);
req.setRequestParameters(Collections.singletonList(new NameValuePair("id", path)));
webClient.addCrumb(req);
webClient.getPage(req);
fail();
} catch (FailingHttpStatusCodeException e) {
if (e.getStatusCode() != 400) {
// some other kind of error that we're not checking for
throw e;
}
if (!configurationFile.exists()) {
fail("The configuration file was deleted");
}
assert(e.getResponse().getContentAsString().contains("Invalid file path received: " + path));
}
}
}

0 comments on commit bfa9b30

Please sign in to comment.