vuln-fix: Partial Path Traversal Vulnerability

This fixes a partial path traversal vulnerability. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`; however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`. Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Severity: Medium CVSSS: 6.1 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#13 Co-authored-by: Moderne <[email protected]>
BulkSecurityGeneratorProjectV2 · Jul 29, 2022 · b3f9e0f · b3f9e0f
1 parent fe24abe
commit b3f9e0f
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java b/src/main/java/org/jenkinsci/plugins/redpen/RedpenJobProperty.java
@@ -201,7 +201,7 @@ private FormValidation doCheckTestFrameWorkPath(String value) {
             }
             try {
                 File file = new File(basePath, value);
-                if (file.getCanonicalPath().startsWith(basePath)) {
+                if (file.getCanonicalFile().toPath().startsWith(basePath)) {
                     return FormValidation.ok();
                 }
             } catch (IOException e) {

diff --git a/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java b/src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java
@@ -98,7 +98,7 @@ private AttachmentModel addAttachments(ParameterModel parameter, String jwtToken
         for (String s : logDir) {
             String trimPath = s.trim();
             File file = new File(workspaceBasePath, trimPath);
-            if (!StringUtils.isBlank(trimPath) && file.getCanonicalPath().startsWith(workspaceBasePath)) {
+            if (!StringUtils.isBlank(trimPath) && file.getCanonicalFile().toPath().startsWith(workspaceBasePath)) {
                 String logPath = file.getAbsolutePath();
                 AttachmentModel reportFiles = attachLogFiles(buildTriggerTime, workspaceBasePath, logPath, issueKey, jwtToken, "", "Other Files", true);
                 uploadedFileNames.addAll(reportFiles.getAttachments());