Merge pull request #176 from jenkinsci/follow-workspace-symlink

[JENKINS-72628] Follow symlinks when checking the workspace prefix
jenkinsci · Aug 21, 2024 · aaaf530 · aaaf530
2 parents a9a9866 + 49352c9
commit aaaf530
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/src/main/java/io/jenkins/plugins/prism/FilePermissionEnforcer.java b/src/main/java/io/jenkins/plugins/prism/FilePermissionEnforcer.java
@@ -1,12 +1,14 @@
 package io.jenkins.plugins.prism;
 
+import java.io.IOException;
 import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 import edu.hm.hafner.util.PathUtil;
+import edu.hm.hafner.util.VisibleForTesting;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 import hudson.FilePath;
@@ -59,9 +61,24 @@ public boolean isInWorkspace(final String fileName, final FilePath workspace, fi
                 .map(PATH_UTIL::getAbsolutePath)
                 .collect(Collectors.toSet());
         permittedAbsolutePaths.add(workspace.getRemote());
+        permittedAbsolutePaths.add(resolveWorkspace(workspace));
 
         return permittedAbsolutePaths.stream()
                 .map(Paths::get)
                 .anyMatch(prefix -> Paths.get(sourceFile).startsWith(prefix));
     }
+
+    @VisibleForTesting
+    String resolveWorkspace(final FilePath workspace) {
+        try {
+            var resolved = workspace.readLink();
+            if (resolved != null) {
+                return resolved;
+            }
+        }
+        catch (IOException | InterruptedException ignore) {
+            // ignore
+        }
+        return workspace.getRemote();
+    }
 }
diff --git a/src/test/java/io/jenkins/plugins/prism/FilePermissionEnforcerTest.java b/src/test/java/io/jenkins/plugins/prism/FilePermissionEnforcerTest.java
@@ -1,6 +1,9 @@
 package io.jenkins.plugins.prism;
 
 import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Set;
 
 import org.junit.jupiter.api.Test;
 import org.junitpioneer.jupiter.Issue;
@@ -35,6 +38,23 @@ void shouldComparePathsOnUnix() {
         assertThat(validator.isInWorkspace("/b/a/b.c", WORKSPACE_UNIX, "/a")).isFalse();
     }
 
+    @Test @Issue("JENKINS-72628")
+    void shouldFollowSymbolicLinks() throws IOException {
+        var workspace = Files.createTempDirectory("workspace");
+        workspace.toFile().deleteOnExit();
+        var link = Files.createSymbolicLink(workspace.resolve("link"), workspace);
+
+        FilePermissionEnforcer validator = new FilePermissionEnforcer();
+        assertThat(validator.resolveWorkspace(new FilePath(link.toFile())))
+                .isEqualTo(workspace.toString());
+        assertThat(validator.isInWorkspace(workspace + "/something.txt",
+                new FilePath(workspace.toFile()), Set.of()))
+                .isTrue();
+        assertThat(validator.isInWorkspace(workspace + "/something.txt",
+                new FilePath(link.toFile()), Set.of()))
+                .isTrue();
+    }
+
     @Test
     void shouldAllowWorkspaceByDefaultOnUnix() {
         assumeThat(isWindows()).isFalse();