Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 6.8.0
Affects Version/s: None
Component/s: Artifacts
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

We received external report

I found that the job artifact doesn't have any protection for the file to download.If the repo contain some kinds of file like HTML files.I can create a copy pattern */.html that will copy all html files to a certain location that can be rendered by browser directly and lead to XSS.

Here is the PoC steps:

Link any repo that have html files to a build plan;
Create a job in the plan and configure an Artifacts for this job.Input */.html in the copy pattern;
Run the plan and check the Shared artifacts,it have a url that will lead to your html file.

Attachments

Issue Links

is related to

BAM-20305 Chrome/Safari open artifacts in browser instead of download option

Closed

mentioned in: Page Loading...

was cloned as: BDEV-14879 Loading...

Activity

People

Assignee:: Unassigned

Reporter:: alexmin (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Due:: 05/Dec/2018

Created:: 16/Aug/2017 6:01 AM

Updated:: 19/Aug/2019 2:06 AM

Resolved:: 16/Oct/2018 1:23 PM