[JENKINS-73129] Remove Windows path traversal escape hatch from SECUR…

…ITY-2481 (#9387)

Remove SECURITY-2481 escape hatch

https://www.jenkins.io/security/advisory/2021-10-06/#SECURITY-2481 was
published in October 2021 with an escape hatch that allows users to
enable the path traversal vulnerability on Windows. Jetty 12 detects
the vulernability even before the request reaches Jenkins and returns
an HTTP error, as required by the Servlet API specification.

Remove the escape hatch because the escape hatch is intended to be
temporary and we don't want to reimplement the escape hatch within
Jetty configuration.

https://issues.jenkins.io/browse/JENKINS-73129 includes further discussion
of the alternatives.

core/src/main/java/hudson/model/DirectoryBrowserSupport.java

@@ -91,11 +91,6 @@ public final class DirectoryBrowserSupport implements HttpResponse {
 
     private static final Pattern TMPDIR_PATTERN = Pattern.compile(".+@tmp/.*");
 
-    /**
-     * Escape hatch for the protection against SECURITY-2481. If enabled, the absolute paths on Windows will be allowed.
-     */
-    static final String ALLOW_ABSOLUTE_PATH_PROPERTY_NAME = DirectoryBrowserSupport.class.getName() + ".allowAbsolutePath";
-
     public final ModelObject owner;
 
     public final String title;
@@ -261,13 +256,11 @@ private void serveFile(StaplerRequest req, StaplerResponse rsp, VirtualFile root
         if (base.isEmpty()) {
             baseFile = root;
         } else {
-            if (!SystemProperties.getBoolean(ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, false)) {
-                boolean isAbsolute = root.run(new IsAbsolute(base));
-                if (isAbsolute) {
-                    LOGGER.info(() -> "SECURITY-2481 The path provided in the URL (" + base + ") is absolute and thus is refused.");
-                    rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
-                    return;
-                }
+            boolean isAbsolute = root.run(new IsAbsolute(base));
+            if (isAbsolute) {
+                LOGGER.info(() -> "SECURITY-2481 The path provided in the URL (" + base + ") is absolute and thus is refused.");
+                rsp.sendError(HttpServletResponse.SC_NOT_FOUND);
+                return;
             }
             baseFile = root.child(base);
         }

test/src/test/java/hudson/model/DirectoryBrowserSupportTest.java

@@ -1114,33 +1114,6 @@ public void windows_cannotViewAbsolutePath() throws Exception {
         MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), equalTo(404));
     }
 
-    @Test
-    @Issue("SECURITY-2481")
-    public void windows_canViewAbsolutePath_withEscapeHatch() throws Exception {
-        Assume.assumeTrue("can only be tested this on Windows", Functions.isWindows());
-
-        String originalValue = System.getProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME);
-        System.setProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, "true");
-        try {
-            Path targetTmpPath = Files.createTempFile("sec2481", "tmp");
-            String content = "random data provided as fixed value";
-            Files.writeString(targetTmpPath, content, StandardCharsets.UTF_8);
-
-            JenkinsRule.WebClient wc = j.createWebClient().withThrowExceptionOnFailingStatusCode(false);
-            Page page = wc.goTo("userContent/" + targetTmpPath.toAbsolutePath() + "/*view*", null);
-
-            MatcherAssert.assertThat(page.getWebResponse().getStatusCode(), equalTo(200));
-            MatcherAssert.assertThat(page.getWebResponse().getContentAsString(), containsString(content));
-        } finally {
-            if (originalValue == null) {
-                System.clearProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME);
-            } else {
-                System.setProperty(DirectoryBrowserSupport.ALLOW_ABSOLUTE_PATH_PROPERTY_NAME, originalValue);
-            }
-        }
-
-    }
-
     @Test
     @Issue("SECURITY-1807")
     public void tmpNotListed() throws Exception {