Build #2,995

Plan branch:
OpenMRS Core Master

Stages & jobs

  1. Build

  2. Test

  3. Deploy

  4. Release

    Requires a user to start manually

Build result summary

Details

Completed
Queue duration
< 1 second
Duration
19 seconds
Labels
None
Revisions
openmrs-core
8e435b3355733f767c89b8ce3409e17ab400f811
openmrs-standalone
885ad10c3e56ae11105727bb801f2f04042a18d9
Release scripts
c4475a9228b197817dce78683d9da8a1e2c4e3a5
Failing since
#2992 (Changes by Siva Reddy <sivareddy.pathuri@thoughtworks.com>)
Fixed in
#3001 (Changes by Ian Bacher)
No failed test found. A possible compilation error occurred.

Responsible

This build has been failing since #2992
No one has taken responsibility

Code commits

openmrs-core
Author Commit Message Commit date
Jonathan Leitschuh <jonathan.leitschuh@gmail.com> Jonathan Leitschuh <jonathan.leitschuh@gmail.com> 8e435b3355733f767c89b8ce3409e17ab400f811 vuln-fix: Zip Slip Vulnerability (#4144)
This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16

Co-authored-by: Moderne <team@moderne.io>

Co-authored-by: Moderne <team@moderne.io>

Configuration changes

Plan configuration has changed since the last successful build. See the plan audit log for more details.

Some of the jobs or stages referenced by this result no longer exist.

Restarting failed/incomplete builds only is not possible as some of the affected jobs no longer exist.

Jira issues

IssueDescriptionStatus
Unknown Issue TypeCWE-22Could not obtain issue details from Jira