Path traversal vulnerability on Windows in Jenkins
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
The file browser for workspaces, archived artifacts, and `userContent/` in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.
The fix
[SECURITY-2481]
core/src/main/java/hudson/model/DirectoryBrowserSupport.java+35 −1
@@ -26,6 +26,8 @@import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;import hudson.FilePath;import hudson.Util;++import java.io.File;import java.io.IOException;import java.io.InputStream;import java.io.OutputStream;@@ -52,6 +54,7 @@import java.util.stream.Stream;import javax.servlet.ServletException;import javax.servlet.http.HttpServletResponse;+import jenkins.model.Jenkins;import jenkins.security.MasterToSlaveCallable;import jenkins.security.ResourceDomainConfiguration;@@ -82,6 +85,11 @@ public final class DirectoryBrowserSupport implements HttpResponse {@SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")public static boolean ALLOW_SYMLINK_ESCAPE = SystemProperties.getBoolean(DirectoryBrowserSupport.class.getName() + ".allowSymlinkEscape");+/**+* Escape hatch for the protection against SECURITY-2481. If enabled, the absolute paths on Windows will be allowed.+*/+static final String ALLOW_ABSOLUTE_PATH_PROPERTY_NAME = DirectoryBrowserSupport.class.getName() + ".allowAbsolutePath";+public final ModelObject owner;public final String title;@@ -243,7 +251,20 @@ private void serveFile(StaplerRequest req, StaplerResponse rsp, VirtualFile rootString rest = _rest.toString();// this is the base file/directory-VirtualFile baseFile = base.isEmpty() ? root : root.child(base);+VirtualFile baseFile;+if (base.isEmpty()) {+baseFile = root;+} else {+if (!SystemProperties.getBoolean(ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, false)) {+boolean isAbsolute = root.run(new IsAbsolute(base));+if (isAbsolute) {+LOGGER.info(() -> "SECURITY-2481 The path provided in the URL (" + base + ") is absolute and thus is refused.");+rsp.sendError(HttpServletResponse.SC_NOT_FOUND);+return;+}+}+baseFile = root.child(base);+}if (baseFile.hasSymlink(getNoFollowLinks())) {rsp.sendError(HttpServletResponse.SC_NOT_FOUND);@@ -397,6 +418,19 @@ private void serveFile(StaplerRequest req, StaplerResponse rsp, VirtualFile root}}+private static final class IsAbsolute extends MasterToSlaveCallable<Boolean, IOException> {+private final String fragment;++IsAbsolute(String fragment) {+this.fragment = fragment;+}++@Override+public Boolean call() throws IOException {+return new File(fragment).isAbsolute();+}+}+private List<List<Path>> keepReadabilityOnlyOnDescendants(VirtualFile root, boolean patternUsed, List<List<Path>> pathFragmentsList){Stream<List<Path>> pathFragmentsStream = pathFragmentsList.stream().map((List<Path> pathFragments) -> {List<Path> mappedFragments = new ArrayList<>(pathFragments.size());
test/src/test/java/hudson/model/DirectoryBrowserSupportSEC2481Test.java+101 −0
@@ -0,0 +1,101 @@+/*+* The MIT License+*+* Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi+*+* Permission is hereby granted, free of charge, to any person obtaining a copy+* of this software and associated documentation files (the "Software"), to deal+* in the Software without restriction, including without limitation the rights+* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell+* copies of the Software, and to permit persons to whom the Software is+* furnished to do so, subject to the following conditions:+*+* The above copyright notice and this permission notice shall be included in+* all copies or substantial portions of the Software.+*+* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR+* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,+* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE+* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER+* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,+* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN+* THE SOFTWARE.+*/+package hudson.model;++import com.gargoylesoftware.htmlunit.Page;+import hudson.Functions;+import org.apache.commons.io.FileUtils;+import org.hamcrest.CoreMatchers;+import org.hamcrest.MatcherAssert;+import org.junit.Assume;+import org.junit.Rule;+import org.junit.Test;+import org.jvnet.hudson.test.Issue;+import org.jvnet.hudson.test.JenkinsRule;++import java.io.File;+import java.nio.charset.StandardCharsets;++//TODO merge back to DirectoryBrowserSupportTest+public class DirectoryBrowserSupportSEC2481Test {++@Rule+public JenkinsRule j = new JenkinsRule();++@Test+@Issue("SECURITY-2481")+public void windows_cannotViewAbsolutePath() throws Exception {+Assume.assumeTrue("can only be tested this on Windows", Functions.isWindows());++File targetTmpFile = File.createTempFile("sec2481", "tmp");+String content = "random data provided as fixed value";+FileUtils.writeStringToFile(targetTmpFile, content, StandardCharsets.UTF_8);++JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);+Page page = wc.goTo("userContent/" + targetTmpFile.getAbsolutePath() + "/*view*", null);++MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), CoreMatchers.equalTo(404));+}++@Test+@Issue("SECURITY-2481")+public void windows_canViewAbsolutePath_withEscapeHatch() throws Exception {+Assume.assumeTrue("can only be tested this on Windows", Functions.isWindows());++String originalValue = System.getProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME);+System.setProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, "true");+try {+File targetTmpFile = File.createTempFile("sec2481", "tmp");+String content = "random data provided as fixed value";+FileUtils.writeStringToFile(targetTmpFile, content, StandardCharsets.UTF_8);++JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);+Page page = wc.goTo("userContent/" + targetTmpFile.getAbsolutePath() + "/*view*", null);++MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), CoreMatchers.equalTo(200));+MatcherAssert.assertThat(page.getWebResponse().getContentAsString(), CoreMatchers.containsString(content));+} finally {+if (originalValue == null) {+System.clearProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME);+} else {+System.setProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, originalValue);+}+}++}++@Test+public void canViewRelativePath() throws Exception {+File testFile = new File(j.jenkins.getRootDir(), "userContent/test.txt");+String content = "random data provided as fixed value";++FileUtils.writeStringToFile(testFile, content, StandardCharsets.UTF_8);++JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);+Page page = wc.goTo("userContent/test.txt/*view*", null);++MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), CoreMatchers.equalTo(200));+MatcherAssert.assertThat(page.getWebResponse().getContentAsString(), CoreMatchers.containsString(content));+}+}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21683
- WEBhttps://github.com/jenkinsci/jenkins/commit/3f679fc12d073676a4441d3fa8b5fff34c07662f
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2481
- WEBhttp://www.openwall.com/lists/oss-security/2021/10/06/1