Security context
Medium· 6.5GHSA-4pw5-r58h-fv24 CVE-2021-21683CWE-22Published May 24, 2022

Path traversal vulnerability on Windows in Jenkins

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.303.22.304 → fixed in 2.315

Details

The file browser for workspaces, archived artifacts, and `userContent/` in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.

The fix

[SECURITY-2481]

Wadeck· Sep 22, 2021, 04:15 PM+13613f679fc12d
core/src/main/java/hudson/model/DirectoryBrowserSupport.java+35 1
@@ -26,6 +26,8 @@
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.FilePath;
import hudson.Util;
+
+import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -52,6 +54,7 @@
import java.util.stream.Stream;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
+
import jenkins.model.Jenkins;
import jenkins.security.MasterToSlaveCallable;
import jenkins.security.ResourceDomainConfiguration;
@@ -82,6 +85,11 @@ public final class DirectoryBrowserSupport implements HttpResponse {
@SuppressFBWarnings(value = "MS_SHOULD_BE_FINAL", justification = "Accessible via System Groovy Scripts")
public static boolean ALLOW_SYMLINK_ESCAPE = SystemProperties.getBoolean(DirectoryBrowserSupport.class.getName() + ".allowSymlinkEscape");
+ /**
+ * Escape hatch for the protection against SECURITY-2481. If enabled, the absolute paths on Windows will be allowed.
+ */
+ static final String ALLOW_ABSOLUTE_PATH_PROPERTY_NAME = DirectoryBrowserSupport.class.getName() + ".allowAbsolutePath";
+
public final ModelObject owner;
public final String title;
@@ -243,7 +251,20 @@ private void serveFile(StaplerRequest req, StaplerResponse rsp, VirtualFile root
String rest = _rest.toString();
// this is the base file/directory
- VirtualFile baseFile = base.isEmpty() ? root : root.child(base);
+ VirtualFile baseFile;
+ if (base.isEmpty()) {
+ baseFile = root;
+ } else {
+ if (!SystemProperties.getBoolean(ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, false)) {
+ boolean isAbsolute = root.run(new IsAbsolute(base));
+ if (isAbsolute) {
+ LOGGER.info(() -> "SECURITY-2481 The path provided in the URL (" + base + ") is absolute and thus is refused.");
+ rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+ return;
+ }
+ }
+ baseFile = root.child(base);
+ }
if (baseFile.hasSymlink(getNoFollowLinks())) {
rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
@@ -397,6 +418,19 @@ private void serveFile(StaplerRequest req, StaplerResponse rsp, VirtualFile root
}
}
+ private static final class IsAbsolute extends MasterToSlaveCallable<Boolean, IOException> {
+ private final String fragment;
+
+ IsAbsolute(String fragment) {
+ this.fragment = fragment;
+ }
+
+ @Override
+ public Boolean call() throws IOException {
+ return new File(fragment).isAbsolute();
+ }
+ }
+
private List<List<Path>> keepReadabilityOnlyOnDescendants(VirtualFile root, boolean patternUsed, List<List<Path>> pathFragmentsList){
Stream<List<Path>> pathFragmentsStream = pathFragmentsList.stream().map((List<Path> pathFragments) -> {
List<Path> mappedFragments = new ArrayList<>(pathFragments.size());
test/src/test/java/hudson/model/DirectoryBrowserSupportSEC2481Test.java+101 0
@@ -0,0 +1,101 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package hudson.model;
+
+import com.gargoylesoftware.htmlunit.Page;
+import hudson.Functions;
+import org.apache.commons.io.FileUtils;
+import org.hamcrest.CoreMatchers;
+import org.hamcrest.MatcherAssert;
+import org.junit.Assume;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+
+//TODO merge back to DirectoryBrowserSupportTest
+public class DirectoryBrowserSupportSEC2481Test {
+
+ @Rule
+ public JenkinsRule j = new JenkinsRule();
+
+ @Test
+ @Issue("SECURITY-2481")
+ public void windows_cannotViewAbsolutePath() throws Exception {
+ Assume.assumeTrue("can only be tested this on Windows", Functions.isWindows());
+
+ File targetTmpFile = File.createTempFile("sec2481", "tmp");
+ String content = "random data provided as fixed value";
+ FileUtils.writeStringToFile(targetTmpFile, content, StandardCharsets.UTF_8);
+
+ JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
+ Page page = wc.goTo("userContent/" + targetTmpFile.getAbsolutePath() + "/*view*", null);
+
+ MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), CoreMatchers.equalTo(404));
+ }
+
+ @Test
+ @Issue("SECURITY-2481")
+ public void windows_canViewAbsolutePath_withEscapeHatch() throws Exception {
+ Assume.assumeTrue("can only be tested this on Windows", Functions.isWindows());
+
+ String originalValue = System.getProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME);
+ System.setProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, "true");
+ try {
+ File targetTmpFile = File.createTempFile("sec2481", "tmp");
+ String content = "random data provided as fixed value";
+ FileUtils.writeStringToFile(targetTmpFile, content, StandardCharsets.UTF_8);
+
+ JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
+ Page page = wc.goTo("userContent/" + targetTmpFile.getAbsolutePath() + "/*view*", null);
+
+ MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), CoreMatchers.equalTo(200));
+ MatcherAssert.assertThat(page.getWebResponse().getContentAsString(), CoreMatchers.containsString(content));
+ } finally {
+ if (originalValue == null) {
+ System.clearProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME);
+ } else {
+ System.setProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, originalValue);
+ }
+ }
+
+ }
+
+ @Test
+ public void canViewRelativePath() throws Exception {
+ File testFile = new File(j.jenkins.getRootDir(), "userContent/test.txt");
+ String content = "random data provided as fixed value";
+
+ FileUtils.writeStringToFile(testFile, content, StandardCharsets.UTF_8);
+
+ JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
+ Page page = wc.goTo("userContent/test.txt/*view*", null);
+
+ MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), CoreMatchers.equalTo(200));
+ MatcherAssert.assertThat(page.getWebResponse().getContentAsString(), CoreMatchers.containsString(content));
+ }
+}

References