Bitbucket wipe out whole XLR home

Question

Bitbucket wipe out whole XLR home

Opened this issue 4 years ago · 1 comments

We have disabled the option that caused the problem scenario for now. The issue is caused by the “Download Code” option in the bitbucket plugin that we got.
Happened specifically when a user-specified “ ./ “ as the download path.

The plugin code has the following :

    self.logger.warn( " Now downloading code in download folder : %s" % variables['downloadPath'] )
    command = CmdLine()
    script = '''
        cd %s
        wget --user %s --password %s  -O code.zip %s
        unzip code.zip
        rm -rf *.zip
        foldername=`ls -d */`
        mv -f $foldername* `pwd`
        rm -rf $foldername

Can this be fixed or updated to avoid consequences in the future?
Thanks

Answer 1 · 2020-07-14T12:23:12.000Z

Here are logs 👍 Below is the pertinent log of what happened :

Archive: code.zip --2020-06-26 08:23:01-- http://globalrepository.mclocal.int/stash/XLR/xlr-playground/get/master.zip http://globalrepository.mclocal.int/stash/XLR/xlr-playground/get/master.zip Resolving globalrepository.mclocal.int (globalrepository.mclocal.int)... 10.154.23.3, 10.154.23.3 Connecting to globalrepository.mclocal.int (globalrepository.mclocal.int)|10.154.23.3|:80... connected. HTTP request sent, awaiting response... 404 2020-06-26 08:23:01 ERROR 404: (no description). End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of code.zip or code.zip.zip, and cannot find code.zip.ZIP, period. mv: ‘bin/’ and ‘/sys_apps_01/xlrelease/xl-release-server/bin’ are the same file mv: ‘conf/’ and ‘/sys_apps_01/xlrelease/xl-release-server/conf’ are the same file mv: ‘doc/’ and ‘/sys_apps_01/xlrelease/xl-release-server/doc’ are the same file mv: ‘ext/’ and ‘/sys_apps_01/xlrelease/xl-release-server/ext’ are the same file mv: ‘hotfix/’ and ‘/sys_apps_01/xlrelease/xl-release-server/hotfix’ are the same file mv: ‘lib/’ and ‘/sys_apps_01/xlrelease/xl-release-server/lib’ are the same file mv: ‘log/’ and ‘/sys_apps_01/xlrelease/xl-release-server/log’ are the same file mv: ‘plugins/’ and ‘/sys_apps_01/xlrelease/xl-release-server/plugins’ are the same file mv: ‘reports/’ and ‘/sys_apps_01/xlrelease/xl-release-server/reports’ are the same file mv: ‘serviceWrapper/’ and ‘/sys_apps_01/xlrelease/xl-release-server/serviceWrapper’ are the same file