SECURITY-3237-3238

jenkinsci · Oct 18, 2023 · e45ca84 · e45ca84
1 parent 0605b58
commit e45ca84
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 34 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/electricflow/ElectricFlowClient.java b/src/main/java/org/jenkinsci/plugins/electricflow/ElectricFlowClient.java
@@ -416,7 +416,8 @@ public String uploadArtifact(
     // http://swarm/reviews/137432/
     String phpUrl = this.electricFlowUrl + "/commander/publishArtifact.php";
     String cgiUrl = this.electricFlowUrl + "/commander/cgi-bin/publishArtifactAPI.cgi";
-    String requestURL = checkIfEndpointReachable("/commander/publishArtifact.php") ? phpUrl : cgiUrl;
+    boolean isPhpEndpoint = checkIfEndpointReachable("/commander/publishArtifact.php");
+    String requestURL = isPhpEndpoint ? phpUrl : cgiUrl;
 
     MultipartUtility multipart =
         new MultipartUtility(requestURL, CHARSET, this.getIgnoreSslConnectionErrors());
@@ -428,20 +429,7 @@ public String uploadArtifact(
     multipart.addFormField("commanderSessionId", sessionId);
 
     for (File file : fileList) {
-      if (file.isDirectory()) {
-
-        if (!uploadDirectory) {
-          continue;
-        }
-
-        List<File> dirFiles = FileHelper.getFilesFromDirectory(file);
-
-        for (File f : dirFiles) {
-          multipart.addFilePart("files", f, uploadWorkspace);
-        }
-      } else {
-        multipart.addFilePart("files", file, uploadWorkspace);
-      }
+      multipart.addFilePart(isPhpEndpoint ? "files[]" : "files", file, uploadWorkspace);
     }
 
     List<String> response = multipart.finish();

diff --git a/src/main/java/org/jenkinsci/plugins/electricflow/FileHelper.java b/src/main/java/org/jenkinsci/plugins/electricflow/FileHelper.java
@@ -24,6 +24,7 @@
 import java.io.PrintStream;
 import java.io.Writer;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
@@ -112,24 +113,6 @@ static String[] splitPath(String separator, String path) {
     return list;
   }
 
-  static List<File> getFilesFromDirectory(final File folder) {
-    List<File> fileList = new ArrayList<>();
-    File[] list = folder.listFiles();
-
-    if (list == null) {
-      return fileList;
-    }
-
-    for (final File fileEntry : list) {
-
-      if (!fileEntry.isDirectory()) {
-        fileList.add(fileEntry);
-      }
-    }
-
-    return fileList;
-  }
-
   static List<File> getFilesFromDirectoryWildcardDirScanner(
           String includePattern,
           boolean fullPath,
@@ -148,7 +131,9 @@ public void visit(File file, String s) throws IOException {
           fileString = s;
         }
         File retFile = new File(fileString);
-        readFileList.add(retFile);
+        if (retFile.toPath().toRealPath().startsWith(new File(fullPathValue).toPath().toRealPath())) {
+          readFileList.add(retFile);
+        }
       }
     });
     return readFileList;
@@ -236,6 +221,10 @@ private static boolean __deleteDirectory(File dir) {
     File[] files = dir.listFiles();
     if (files != null) {
       for (final File file : files) {
+        if (Files.isSymbolicLink(file.toPath())) {
+          boolean symlinkRemoved = file.delete();
+          continue;
+        }
         __deleteDirectory(file);
       }
     }