[SECURITY-3205]

mtughan · mtughan · commit bfa9b3085865 · 2023-12-12T09:28:34.000-05:00
diff --git a/src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java b/src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java
@@ -332,7 +332,12 @@ public HttpResponse doRemoveScript(StaplerRequest res, StaplerResponse rsp, @Que
         checkPermission(ScriptlerPermissions.CONFIGURE);
 
         // remove the file
-        File oldScript = new File(getScriptDirectory(), id);
+        File scriptDirectory = getScriptDirectory();
+        File oldScript = new File(scriptDirectory, id);
+        if (!Util.isDescendant(scriptDirectory, oldScript)) {
+            LOGGER.log(Level.WARNING, "Folder traversal detected, file path received: {0}, after fixing: {1}", new Object[]{id, oldScript});
+            throw new Failure("Invalid file path received: " + id);
+        }
         if(!oldScript.delete() && oldScript.exists()) {
             throw new Failure("not able to delete " + oldScript.getAbsolutePath());
         }
diff --git a/src/test/java/org/jenkinsci/plugins/scriptler/restapi/ScriptlerRestApiTest.java b/src/test/java/org/jenkinsci/plugins/scriptler/restapi/ScriptlerRestApiTest.java
@@ -4,6 +4,10 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import java.net.URL;
+import java.util.Collections;
+import org.htmlunit.HttpMethod;
+import org.htmlunit.WebRequest;
 import org.htmlunit.html.*;
 //import org.htmlunit.javascript.host.URL;
 import hudson.ExtensionList;
@@ -18,9 +22,11 @@
 import java.util.List;
 
 import org.apache.commons.fileupload.FileItem;
+import org.htmlunit.util.NameValuePair;
 import org.jenkinsci.plugins.scriptler.ScriptlerManagementHelper;
 import org.jenkinsci.plugins.scriptler.ScriptlerManagement;
 import org.jenkinsci.plugins.scriptler.config.Parameter;
+import org.jenkinsci.plugins.scriptler.config.ScriptlerConfiguration;
 import org.junit.*;
 import org.jvnet.hudson.test.BuildWatcher;
 import org.jvnet.hudson.test.Issue;
@@ -127,4 +133,29 @@ public void testUnknownScript() throws Exception {
         JenkinsRule.WebClient webClient = j.createWebClient();
         webClient.goTo("scriptler/runScript?id=unknown.groovy");
     }
+
+    @Test
+    @Issue("SECURITY-3205")
+    public void fixFolderTraversalThroughDeleteScript() throws Exception {
+        File configurationFile = ScriptlerConfiguration.getXmlFile().getFile();
+        String path = "../" + configurationFile.getName();
+
+        try (JenkinsRule.WebClient webClient = j.createWebClient()) {
+            URL rootUrl = new URL(webClient.getContextPath() + "scriptler/removeScript");
+            WebRequest req = new WebRequest(rootUrl, HttpMethod.POST);
+            req.setRequestParameters(Collections.singletonList(new NameValuePair("id", path)));
+            webClient.addCrumb(req);
+            webClient.getPage(req);
+            fail();
+        } catch (FailingHttpStatusCodeException e) {
+            if (e.getStatusCode() != 400) {
+                // some other kind of error that we're not checking for
+                throw e;
+            }
+            if (!configurationFile.exists()) {
+                fail("The configuration file was deleted");
+            }
+            assert(e.getResponse().getContentAsString().contains("Invalid file path received: " + path));
+        }
+    }
 }
