[SECURITY-3501]

daniel-beck · jenkinsci-cert-ci · commit 0f8f5a20e9f9 · 2025-02-20T11:39:53.000Z
diff --git a/core/src/main/java/hudson/Util.java b/core/src/main/java/hudson/Util.java
@@ -1663,7 +1663,7 @@ public static boolean isAbsoluteUri(@NonNull String uri) {
      * @since 2.3 / 1.651.2
      */
     public static boolean isSafeToRedirectTo(@NonNull String uri) {
-        return !isAbsoluteUri(uri) && !uri.startsWith("//");
+        return !isAbsoluteUri(uri) && !uri.startsWith("\\") && !uri.replace('\\', '/').startsWith("//");
     }
 
     /**
diff --git a/core/src/test/java/hudson/UtilTest.java b/core/src/test/java/hudson/UtilTest.java
@@ -416,12 +416,16 @@ public void testIsAbsoluteUri() {
     }
 
     @Test
-    @Issue("SECURITY-276")
+    @Issue({"SECURITY-276", "SECURITY-3501"})
     public void testIsSafeToRedirectTo() {
         assertFalse(Util.isSafeToRedirectTo("http://foobar/"));
         assertFalse(Util.isSafeToRedirectTo("mailto:kk@kohsuke.org"));
         assertFalse(Util.isSafeToRedirectTo("d123://test/"));
         assertFalse(Util.isSafeToRedirectTo("//google.com"));
+        assertFalse(Util.isSafeToRedirectTo("\\\\google.com"));
+        assertFalse(Util.isSafeToRedirectTo("\\/google.com"));
+        assertFalse(Util.isSafeToRedirectTo("/\\google.com"));
+        assertFalse(Util.isSafeToRedirectTo("\\google.com"));
 
         assertTrue(Util.isSafeToRedirectTo("foo/bar/abc:def"));
         assertTrue(Util.isSafeToRedirectTo("foo?abc:def"));
diff --git a/test/src/test/java/jenkins/security/Security3501Test.java b/test/src/test/java/jenkins/security/Security3501Test.java
@@ -0,0 +1,33 @@
+package jenkins.security;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+import java.util.List;
+import org.htmlunit.FailingHttpStatusCodeException;
+import org.junit.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.RealJenkinsRule;
+
+public class Security3501Test {
+    @Rule
+    public RealJenkinsRule jj = new RealJenkinsRule();
+
+    @Test
+    public void testRedirects() throws Throwable {
+        jj.then(Security3501Test::_testRedirects);
+    }
+
+    public static void _testRedirects(JenkinsRule j) throws Exception {
+        List<String> prohibitedPaths = List.of("%5C%5Cexample.org", "%5C/example.org", "/%5Cexample.org", "//example.org", "https://example.org", "\\example.org");
+        for (String path : prohibitedPaths) {
+            try (JenkinsRule.WebClient wc = j.createWebClient().withRedirectEnabled(false)) {
+                final FailingHttpStatusCodeException fhsce = Assert.assertThrows(FailingHttpStatusCodeException.class, () -> wc.goTo("userContent?path=" + path));
+                assertThat(fhsce.getStatusCode(), is(302));
+                assertThat(fhsce.getResponse().getResponseHeaderValue("Location"), is(j.getURL().toExternalForm() + "userContent/"));
+            }
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1663,7 +1663,7 @@ public static boolean isAbsoluteUri(@NonNull String uri) {`
`1663`	`1663`	`* @since 2.3 / 1.651.2`
`1664`	`1664`	`*/`
`1665`	`1665`	`public static boolean isSafeToRedirectTo(@NonNull String uri) {`
`1666`		`- return !isAbsoluteUri(uri) && !uri.startsWith("//");`
	`1666`	`+ return !isAbsoluteUri(uri) && !uri.startsWith("\\") && !uri.replace('\\', '/').startsWith("//");`
`1667`	`1667`	`}`
`1668`	`1668`
`1669`	`1669`	`/**`