Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52262

Cannot copy symlink pointing out of the workspace with VirtualFile

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      `VirtualFile$FileVF` rejects handling symlinks pointing out of workspaces for SECURITY-162.
      https://jenkins.io/security/advisory/2015-02-27/

      This caused a regression in copyartifact-1.40 (JENKINS-52217).

      There’re two problems:

      • Symlinks pointing out of workspace doesn’t always immediately cause vulnerabilities. It’s not reasonable to reject handling those symlinks.
        • On the other hand, it makes sense to leave this as a limitation for the safer security model. I just want to know this is a expected behavior for SECURITY-162.
        • Anyway, I plan to document that artifacts should be zipped as copyartifact may lose permissions, ownerships, or symlinks easily. (Is `zip` step free from SECURITY-162?)
      • There’re no clues in logs that `VirtualFile$FileVF` rejected symlinks for SECURITY-162. This makes it difficult for users to diagnose what happened.

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ikedam ikedam
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: