Build #3,169

Plan branch:

Build: #3169 failed Scheduled with changes by 3 people

Build result summary

Details

Completed
Queue duration
1 second
Duration
3 seconds
Labels
None
Revision
8e435b3355733f767c89b8ce3409e17ab400f811 8e435b3355733f767c89b8ce3409e17ab400f811
Fixed in
#3170 (Scheduled with changes by dkayiwa <kayiwadaniel@gmail.com> and Himabindu T <tbindu@thoughtworks.com>)
No failed test found. A possible compilation error occurred.

Responsible

No one has taken responsibility for this failure

Code commits

Author Commit Message Commit date
Jonathan Leitschuh <jonathan.leitschuh@gmail.com> Jonathan Leitschuh <jonathan.leitschuh@gmail.com> 8e435b3355733f767c89b8ce3409e17ab400f811 8e435b3355733f767c89b8ce3409e17ab400f811 vuln-fix: Zip Slip Vulnerability (#4144)
This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16

Co-authored-by: Moderne <team@moderne.io>

Co-authored-by: Moderne <team@moderne.io>
dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f github-actions(deps): bump actions/checkout from 2 to 3 (#4147)
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Siva Reddy <sivareddy.pathuri@thoughtworks.com> Siva Reddy <sivareddy.pathuri@thoughtworks.com> f7e2e474d9e8b4915fd99d12738b17070e501fbc f7e2e474d9e8b4915fd99d12738b17070e501fbc Siva Reddy | BAH-2274 | Support for Java8 DateTime in jackson (#4146)

Jira issues

IssueDescriptionStatus
Unknown Issue TypeBAH-2274Could not obtain issue details from Jira
Unknown Issue TypeCWE-22Could not obtain issue details from Jira