Merge pull request jenkinsci#159 from dwnusbaum/security-fix-test-compatibility

Fix recent security fixes if JENKINS_HOME is a symlink and failing tests on Windows after recent security fixes

Author: dwnusbaum

src/main/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep.java

@@ -248,7 +248,7 @@ private static boolean isDescendant(FilePath child, FilePath parent) throws IOEx
             if (child.isRemote() || parent.isRemote()) {
                 throw new IllegalStateException();
             }
-            return new File(child.getRemote()).getCanonicalFile().toPath().startsWith(parent.absolutize().getRemote());
+            return new File(child.getRemote()).getCanonicalFile().toPath().startsWith(new File(parent.getRemote()).getCanonicalPath());
         }
 
         private static final long serialVersionUID = 1L;

src/test/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStepTest.java

@@ -232,12 +232,13 @@ public void pathTraversalRejected() throws Exception {
 
         WorkflowRun b = p.getLastBuild();
         assertEquals(1, b.getNumber());
-        r.assertLogContains("secrets/master.key references a file that is not inside " + r.jenkins.getWorkspaceFor(p).getRemote(), b);
+        r.assertLogContains("master.key references a file that is not inside " + r.jenkins.getWorkspaceFor(p).getRemote(), b);
     }
 
     @Issue("SECURITY-2491")
     @Test
     public void symlinksInReadTrustedCannotEscapeWorkspaceContext() throws Exception {
+        assumeFalse(Functions.isWindows()); // On Windows, the symlink is treated as a regular file, so there is no vulnerability, but the behavior is different.
         SCMBinder.USE_HEAVYWEIGHT_CHECKOUT = true;
         sampleRepo.init();
         sampleRepo.write("Jenkinsfile", "node { checkout scm; echo \"${readTrusted 'secrets/master.key'}\"}");
@@ -259,6 +260,7 @@ public void symlinksInReadTrustedCannotEscapeWorkspaceContext() throws Exception
     @Issue("SECURITY-2491")
     @Test
     public void symlinksInUntrustedRevisionCannotEscapeWorkspace() throws Exception {
+        assumeFalse(Functions.isWindows()); // On Windows, the symlink is treated as a regular file, so there is no vulnerability, but the behavior is different.
         SCMBinder.USE_HEAVYWEIGHT_CHECKOUT = true;
         sampleRepo.init();
         sampleRepo.write("Jenkinsfile", "node { checkout scm; echo \"${readTrusted 'secrets/master.key'}\"}");
@@ -286,6 +288,7 @@ public void symlinksInUntrustedRevisionCannotEscapeWorkspace() throws Exception
     @Issue("SECURITY-2491")
     @Test
     public void symlinksInNonMultibranchCannotEscapeWorkspaceContextViaReadTrusted() throws Exception {
+        assumeFalse(Functions.isWindows()); // On Windows, the symlink is treated as a regular file, so there is no vulnerability, but the behavior is different.
         SCMBinder.USE_HEAVYWEIGHT_CHECKOUT = true;
         sampleRepo.init();
         sampleRepo.write("Jenkinsfile", "echo \"${readTrusted 'master.key'}\"");
@@ -319,7 +322,10 @@ public void symlinksInNonMultibranchCannotEscapeWorkspaceContextViaReadTrusted()
         FileUtils.copyDirectory(new File(sampleRepo.getRoot(), ".git"), gitDirInSvnRepo);
         String jenkinsRootDir = r.jenkins.getRootDir().toString();
         // Add a Git post-checkout hook to the .git folder in the SVN repo.
-        Files.write(gitDirInSvnRepo.toPath().resolve("hooks/post-checkout"), ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8));
+        Path postCheckoutHook = gitDirInSvnRepo.toPath().resolve("hooks/post-checkout");
+        // Always create hooks directory for compatibility with https://github.com/jenkinsci/git-plugin/pull/1207.
+        Files.createDirectories(postCheckoutHook.getParent());
+        Files.write(postCheckoutHook, ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8));
         sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/Jenkinsfile");
         sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/.git");
         sampleRepoSvn.svnkit("propset", "svn:executable", "ON", sampleRepoSvn.wc() + "/.git/hooks/post-checkout");
@@ -354,7 +360,10 @@ public void symlinksInNonMultibranchCannotEscapeWorkspaceContextViaReadTrusted()
         FileUtils.copyDirectory(new File(sampleRepo.getRoot(), ".git"), gitDirInSvnRepo);
         String jenkinsRootDir = r.jenkins.getRootDir().toString();
         // Add a Git post-checkout hook to the .git folder in the SVN repo.
-        Files.write(gitDirInSvnRepo.toPath().resolve("hooks/post-checkout"), ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8));
+        Path postCheckoutHook = gitDirInSvnRepo.toPath().resolve("hooks/post-checkout");
+        // Always create hooks directory for compatibility with https://github.com/jenkinsci/git-plugin/pull/1207.
+        Files.createDirectories(postCheckoutHook.getParent());
+        Files.write(postCheckoutHook, ("#!/bin/sh\ntouch '" + jenkinsRootDir + "/hook-executed'\n").getBytes(StandardCharsets.UTF_8));
         sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/Jenkinsfile");
         sampleRepoSvn.svnkit("add", sampleRepoSvn.wc() + "/.git");
         sampleRepoSvn.svnkit("propset", "svn:executable", "ON", sampleRepoSvn.wc() + "/.git/hooks/post-checkout");