rewrite-java-security Issue discovered on `repository-hpi/src/main/java/com/nirima/jenkins/RepositoryPlugin.java` with `Zip slip`

Issue discovered on `repository-hpi/src/main/java/com/nirima/jenkins/RepositoryPlugin.java` with `Zip slip`

Open JLLeitschuh opened this issue 1 year ago • 0 comments

Problem

There already appears to be a guard in place that, incorrectly, protects against this vulnerability.

       while (enumEntries.hasMoreElements()) {
            java.util.jar.JarEntry file = (java.util.jar.JarEntry) enumEntries.nextElement();

            if(!file.getName().startsWith(prefix)) // Incorrect fix
                continue;

Expected behavior

The incorrect fix should be either removed, or fixed.

Example diff

From: repository-hpi/src/main/java/com/nirima/jenkins/RepositoryPlugin.java

      continue;

java.io.File f = new java.io.File(destDir, file.getName());
+
+            if (!f.toPath().normalize().startsWith(destDir.toPath().normalize())) {
+                throw new IOException("Bad zip entry");
+            }
if (file.isDirectory()) { // if its a directory, create it
f.mkdir();
continue;

Recipes in example diff:

org.openrewrite.java.security.ZipSlip

References:

View original result
Recipe ID: org.openrewrite.java.security.ZipSlip
Recipe Name: Zip slip
Repository: jenkinsci/maven-repository-plugin/master
Created at Mon Nov 06 2023 10:57:59 GMT-0800 (Pacific Standard Time)

Nov 06 '23 19:11 JLLeitschuh

rewrite-java-security rewrite-java-security copied to clipboard

Issue discovered on `repository-hpi/src/main/java/com/nirima/jenkins/RepositoryPlugin.java` with `Zip slip`

Problem

Expected behavior

Example diff

Recipes in example diff:

References:

rewrite-java-security
rewrite-java-security copied to clipboard