Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64922

java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported when opening file from workspace or artifacts

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We recently upgraded to Jenkins 2.263.4 (previous version
      2.235.1) ,now we have issue opening files form workspace.
      Below error is logged in logfile

      2021-02-23 10:48:50.237+0000 [id=76] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 9a8eb3ec-a05c-49cd-b4e1-f0c540d8d668
      java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported
      at sun.nio.fs.UnixChannelFactory$Flags.toFlags(UnixChannelFactory.java:105)
      at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:131)
      at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:160)
      at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:224)
      at java.nio.file.Files.newByteChannel(Files.java:372)
      at java.nio.file.Files.newByteChannel(Files.java:418)
      at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:395)
      at java.nio.file.Files.newInputStream(Files.java:163)
      at hudson.FilePath.newInputStreamDenyingSymlinkAsNeeded(FilePath.java:2111)
      at hudson.FilePath.read(FilePath.java:2096)
      at jenkins.util.VirtualFile$FilePathVF.open(VirtualFile.java:1024)

        Attachments

          Activity

          Show
          raihaan Raihaan Shouhell added a comment - Seems to be caused by https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452
          Hide
          anjali_waghmare Anjali added a comment -

          https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452 says Archiving artifacts still behaves as before. But archived artifacts links from GUI are also throwing same error.

          Show
          anjali_waghmare Anjali added a comment - https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452  says Archiving artifacts still behaves as before. But archived artifacts links from GUI are also throwing same error.
          Hide
          raihaan Raihaan Shouhell added a comment -

          Do you have steps to reproduce this issue?

          Show
          raihaan Raihaan Shouhell added a comment - Do you have steps to reproduce this issue?
          Hide
          anjali_waghmare Anjali added a comment -

          Hi Raihaan,

          we just upgraded from 2.235.1 to 2.263.4.

          Open any job workspace

          Try to open any file from workspace or from archived artifact

          It gives "java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported" in log file and on jenkins GUI error as below.

          I hope above steps helps.

          regards,

          Anjali

          Show
          anjali_waghmare Anjali added a comment - Hi Raihaan, we just upgraded from 2.235.1 to 2.263.4. Open any job workspace Try to open any file from workspace or from archived artifact It gives "java.lang.UnsupportedOperationException: NOFOLLOW_LINKS not supported" in log file and on jenkins GUI error as below. I hope above steps helps. regards, Anjali
          Hide
          raihaan Raihaan Shouhell added a comment -

          Seems to be a platform specific issue https://unix.stackexchange.com/questions/504497/aix-nofollow-links-is-not-supported-on-this-platform.

          CC: Jeff Thompson seems like the fix for SECURITY-1452 causes issues on the AIX platform.

          Show
          raihaan Raihaan Shouhell added a comment - Seems to be a platform specific issue https://unix.stackexchange.com/questions/504497/aix-nofollow-links-is-not-supported-on-this-platform . CC: Jeff Thompson seems like the fix for SECURITY-1452 causes issues on the AIX platform.
          Hide
          jthompson Jeff Thompson added a comment -

          I knew AIX was a concern in this area. I read documentation and tried to put together a implementation that would work on AIX as well. With no AIX system available, I had to guess if it worked correctly there. I'll put together something to perform a different check. It will still need testing on AIX.

          Show
          jthompson Jeff Thompson added a comment - I knew AIX was a concern in this area. I read documentation and tried to put together a implementation that would work on AIX as well. With no AIX system available, I had to guess if it worked correctly there. I'll put together something to perform a different check. It will still need testing on AIX.
          Hide
          jthompson Jeff Thompson added a comment -

          As a workaround you can set the system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true". This disables the symlink protections so is not generally recommended, but AIX is a special case.

          Show
          jthompson Jeff Thompson added a comment - As a workaround you can set the system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true". This disables the symlink protections so is not generally recommended, but AIX is a special case.
          Hide
          jthompson Jeff Thompson added a comment -

          Digging through this again, it looks like the system property is probably the best we can do. The JVM implementation on AIX is weak.

          Some possibilities:

          1) Just use the system property to disable symlink detection. It looks like it's as good as anything else we could do.

          2) We could configure the system property automatically for AIX if there's sufficient interest. It's a little difficult to tell if NOFOLLOW_LINKS is implemented but there are probably a couple of different ways we could check for AIX.

          3) Use an improved JVM implementation on AIX that implements NOFOLLOW_LINKS. I don't know that one exists, but that would be the cleanest.

          4) Someone on AIX could determine if "Files.readAttributes(path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);" throws an exception. According to documentation, readAttributes should throw an exception like newInputStream does here. If it throws then the previous options are the only workable ones.

          Show
          jthompson Jeff Thompson added a comment - Digging through this again, it looks like the system property is probably the best we can do. The JVM implementation on AIX is weak. Some possibilities: 1) Just use the system property to disable symlink detection. It looks like it's as good as anything else we could do. 2) We could configure the system property automatically for AIX if there's sufficient interest. It's a little difficult to tell if NOFOLLOW_LINKS is implemented but there are probably a couple of different ways we could check for AIX. 3) Use an improved JVM implementation on AIX that implements NOFOLLOW_LINKS. I don't know that one exists, but that would be the cleanest. 4) Someone on AIX could determine if "Files.readAttributes(path, BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);" throws an exception. According to documentation, readAttributes should throw an exception like newInputStream does here. If it throws then the previous options are the only workable ones.
          Hide
          anjali_waghmare Anjali added a comment -

          @Jeff Thompson,

          Can you please let me know steps to set system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true"?

          Show
          anjali_waghmare Anjali added a comment - @ Jeff Thompson , Can you please let me know steps to set system property "hudson.model.DirectoryBrowserSupport.allowSymlinkEscape" to "true"?
          Hide
          raihaan Raihaan Shouhell added a comment -

          You can do java -Dhudson.model.DirectoryBrowserSupport.allowSymlinkEscape=true -jar jenkins.war or something similar to this.

          CC: Mark Waite We might need the upgrade guidelines have a line for this issue on AIX, Keeping you in the loop

          Show
          raihaan Raihaan Shouhell added a comment - You can do java -Dhudson.model.DirectoryBrowserSupport.allowSymlinkEscape=true -jar jenkins.war or something similar to this. CC: Mark Waite We might need the upgrade guidelines have a line for this issue on AIX, Keeping you in the loop
          Hide
          anjali_waghmare Anjali added a comment -

          I set the system property hudson.model.DirectoryBrowserSupport.allowSymlinkEscape to true by reading documentation and now I am able to access files form workspace and archived artifacts.

          Is this going to be temporary workaround ? will there be a permanent fix for the same?

          Show
          anjali_waghmare Anjali added a comment - I set the system property hudson.model.DirectoryBrowserSupport.allowSymlinkEscape to true by reading documentation and now I am able to access files form workspace and archived artifacts. Is this going to be temporary workaround ? will there be a permanent fix for the same?
          Hide
          danielbeck Daniel Beck added a comment - - edited

          Given that AIX makes up less than 0.2% of the environments that report usage stats, and a workaround exists, I wouldn't hold my breath. Probably depends on how much time Jeff has to spare on this.

          I expect that any fix would be little different from essentially automatically applying the workaround that is currently required to be added manually. It's probably not worth adding a completely separate implementation that's still not quite right.

          Show
          danielbeck Daniel Beck added a comment - - edited Given that AIX makes up less than 0.2% of the environments that report usage stats, and a workaround exists, I wouldn't hold my breath. Probably depends on how much time Jeff has to spare on this. I expect that any fix would be little different from essentially automatically applying the workaround that is currently required to be added manually. It's probably not worth adding a completely separate implementation that's still not quite right.
          Hide
          jthompson Jeff Thompson added a comment -

          I'm surprised AIX usage is that high. I've got various other improvements that should be done in this area that are more valuable and keep getting delayed.

          I don't know of any alternative approach that would yield a fix on AiX, so the only reasonable code fix is to automatically apply the workaround.

          Show
          jthompson Jeff Thompson added a comment - I'm surprised AIX usage is that high. I've got various other improvements that should be done in this area that are more valuable and keep getting delayed. I don't know of any alternative approach that would yield a fix on AiX, so the only reasonable code fix is to automatically apply the workaround.

            People

            Assignee:
            jthompson Jeff Thompson
            Reporter:
            anjali_waghmare Anjali
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: