Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52262

Cannot copy symlink pointing out of the workspace with VirtualFile

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • None

      `VirtualFile$FileVF` rejects handling symlinks pointing out of workspaces for SECURITY-162.
      https://jenkins.io/security/advisory/2015-02-27/

      This caused a regression in copyartifact-1.40 (JENKINS-52217).

      There’re two problems:

      • Symlinks pointing out of workspace doesn’t always immediately cause vulnerabilities. It’s not reasonable to reject handling those symlinks.
        • On the other hand, it makes sense to leave this as a limitation for the safer security model. I just want to know this is a expected behavior for SECURITY-162.
        • Anyway, I plan to document that artifacts should be zipped as copyartifact may lose permissions, ownerships, or symlinks easily. (Is `zip` step free from SECURITY-162?)
      • There’re no clues in logs that `VirtualFile$FileVF` rejected symlinks for SECURITY-162. This makes it difficult for users to diagnose what happened.

            Unassigned Unassigned
            ikedam ikedam
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: