Build #3,169

Plan branch:

Build: #3169 failed

Job: Default Job failed

Stages & jobs

  1. Default Stage

Code commits

openmrs-core master

  • Jonathan Leitschuh <jonathan.leitschuh@gmail.com>

    Jonathan Leitschuh <jonathan.leitschuh@gmail.com> 8e435b3355733f767c89b8ce3409e17ab400f811

    vuln-fix: Zip Slip Vulnerability (#4144)
    This fixes a Zip-Slip vulnerability.

    This change does one of two things. This change either

    1. Inserts a guard to protect against Zip Slip.
    OR
    2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

    For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
    The check is bypassed although `/outnot` is not under the `/out` directory.
    It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
    For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
    however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

    Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Severity: High
    CVSSS: 7.4
    Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

    Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
    Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16

    Co-authored-by: Moderne <team@moderne.io>

    Co-authored-by: Moderne <team@moderne.io>

    • web/src/main/java/org/openmrs/web/filter/initialization/TestInstallUtil.java (version 8e435b3355733f767c89b8ce3409e17ab400f811)
  • dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

    dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f

    github-actions(deps): bump actions/checkout from 2 to 3 (#4147)
    Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/actions/checkout/compare/v2...v3)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

    • .github/workflows/codeql-analysis.yml (version d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f)
  • Siva Reddy <sivareddy.pathuri@thoughtworks.com>

    Siva Reddy <sivareddy.pathuri@thoughtworks.com> f7e2e474d9e8b4915fd99d12738b17070e501fbc

    Siva Reddy | BAH-2274 | Support for Java8 DateTime in jackson (#4146)

    • api/pom.xml (version f7e2e474d9e8b4915fd99d12738b17070e501fbc)
    • pom.xml (version f7e2e474d9e8b4915fd99d12738b17070e501fbc)