Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-70870] Save libraries as JAR files rather than unpacked #57

Draft
wants to merge 46 commits into
base: master
Choose a base branch
from
Draft

[JENKINS-70870] Save libraries as JAR files rather than unpacked #57

wants to merge 46 commits into from

Conversation

jglick
Copy link
Member

@jglick jglick commented Mar 3, 2023
edited
Loading

@jglick jglick mentioned this pull request Mar 3, 2023
Merged
5 tasks
@jglick jglick changed the title Sketch of saving libraries as JAR files rather than unpacked Save libraries as JAR files rather than unpacked Mar 3, 2023
@jglick jglick added the enhancement New feature or request label Mar 3, 2023
@jglick

This comment was marked as resolved.

Sign in to view
@jglick jglick mentioned this pull request Mar 4, 2023
Closed
@jglick jglick mentioned this pull request Mar 4, 2023
Open
6 tasks
@jglick
Copy link
Member Author

jglick commented Mar 4, 2023

there seems to be a real leak

openjdk/jdk#12871 though as of a14ed45 it no longer matters here.

@jglick jglick mentioned this pull request Mar 6, 2023
Merged
@jglick

This comment was marked as resolved.

Sign in to view
@jglick jglick mentioned this pull request Mar 6, 2023
Merged
@jglick jglick mentioned this pull request Mar 7, 2023
Closed
jglick
jglick commented Mar 8, 2023
View reviewed changes
src/main/java/org/jenkinsci/plugins/workflow/cps/global/UserDefinedGlobalVariable.java
// Util.escape translates \n but not \r, and we do not know what platform the library will be checked out on:
replace("\r\n", "\n"));
try {
return Jenkins.get().getMarkupFormatter().translate(
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(suppress whitespace changes when reviewing)

@jglick jglick marked this pull request as ready for review March 9, 2023 23:32
@jglick jglick requested a review from a team as a code owner March 9, 2023 23:32
jtnord
jtnord approved these changes Mar 13, 2023
View reviewed changes
Copy link
Member

@jtnord jtnord left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks ok.

dwnusbaum
dwnusbaum approved these changes Mar 13, 2023
View reviewed changes
src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryRetriever.java
Comment on lines +151 to +152
Path target = Path.of(dir.getRemote(), link).toRealPath();
if (!target.startsWith(Path.of(root.getRemote()))) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this behave as expected if JENKINS_HOME itself is a symlink? See for example jenkinsci/workflow-cps-global-lib-plugin#139. Also, toRealPath will throw an exception if the link target does not exist, which may be undesirable from a security standpoint.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this behave as expected if JENKINS_HOME itself is a symlink?

No idea offhand; I suppose we have no test coverage for such cases.

toRealPath will throw an exception if the link target does not exist, which may be undesirable

I think it is fine. If there is no such target, we want to fail one way or the other.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose we have no test coverage for such cases.

I don't think so. Based on the number of reports I got from the related security fix though, it is a surprisingly common scenario. Safest to use File.getCanonicalFile / File.getCanonicalPath on both the link and root.

If there is no such target, we want to fail one way or the other.

Yeah, but the interesting thing about toRealPath vs just comparing the canonical paths is that toRealPath allows an attacker to probe the existence of arbitrary files on the controller's file system.

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryCachingCleanup.java Outdated Show resolved Hide resolved
@jglick jglick marked this pull request as draft March 13, 2023 19:42
@jglick jglick changed the title Save libraries as JAR files rather than unpacked [JENKINS-70869] Save libraries as JAR files rather than unpacked Mar 24, 2023
@jglick jglick changed the title [JENKINS-70869] Save libraries as JAR files rather than unpacked [JENKINS-70870] Save libraries as JAR files rather than unpacked Jun 9, 2023
@jtnord jtnord mentioned this pull request May 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dwnusbaum dwnusbaum dwnusbaum approved these changes

@jtnord jtnord jtnord approved these changes

@rsandell rsandell rsandell approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jglick @rsandell @jtnord @dwnusbaum