Cannot copy symlink pointing out of the workspace with VirtualFile

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      `VirtualFile$FileVF` rejects handling symlinks pointing out of workspaces for SECURITY-162.
      https://jenkins.io/security/advisory/2015-02-27/

      This caused a regression in copyartifact-1.40 (JENKINS-52217).

      There’re two problems:

      • Symlinks pointing out of workspace doesn’t always immediately cause vulnerabilities. It’s not reasonable to reject handling those symlinks.
        • On the other hand, it makes sense to leave this as a limitation for the safer security model. I just want to know this is a expected behavior for SECURITY-162.
        • Anyway, I plan to document that artifacts should be zipped as copyartifact may lose permissions, ownerships, or symlinks easily. (Is `zip` step free from SECURITY-162?)
      • There’re no clues in logs that `VirtualFile$FileVF` rejected symlinks for SECURITY-162. This makes it difficult for users to diagnose what happened.

            Assignee:
            Unassigned
            Reporter:
            ikedam
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Archived: