`VirtualFile$FileVF` rejects handling symlinks pointing out of workspaces for SECURITY-162.
This caused a regression in copyartifact-1.40 (
There’re two problems:
- Symlinks pointing out of workspace doesn’t always immediately cause vulnerabilities. It’s not reasonable to reject handling those symlinks.
- On the other hand, it makes sense to leave this as a limitation for the safer security model. I just want to know this is a expected behavior for SECURITY-162.
- Anyway, I plan to document that artifacts should be zipped as copyartifact may lose permissions, ownerships, or symlinks easily. (Is `zip` step free from SECURITY-162?)
- There’re no clues in logs that `VirtualFile$FileVF` rejected symlinks for SECURITY-162. This makes it difficult for users to diagnose what happened.