This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-3.0 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 8ee80ffec634293a635d55f1e777849ab22f000d Author: Matteo Merli <[email protected]> AuthorDate: Fri Feb 14 08:54:59 2025 -0800 [fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression (#23985) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 58120841ec74373b5ea718dd0325d4542dde4330) --- .../management/storage/filesystem/FileSystemPackagesStorage.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pulsar-package-management/filesystem-storage/src/main/java/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java b/pulsar-package-management/filesystem-storage/src/main/java/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java index 2bb43bb2072..8bf7851fc8d 100644 --- a/pulsar-package-management/filesystem-storage/src/main/java/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java +++ b/pulsar-package-management/filesystem-storage/src/main/java/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java @@ -59,11 +59,14 @@ public class FileSystemPackagesStorage implements PackagesStorage { } private File getPath(String path) throws IOException { - if (path.contains("..")) { + // Normalize the path to remove any redundant path elements + File f = Paths.get(storagePath.toString(), path).normalize().toFile(); + + // Ensure the normalized path is still within the storagePath + if (!f.getAbsolutePath().startsWith(storagePath.getAbsolutePath())) { throw new IOException("Invalid path: " + path); } - File f = Paths.get(storagePath.toString(), path).toFile(); if (!f.getParentFile().exists()) { if (!f.getParentFile().mkdirs()) { throw new RuntimeException("Failed to create parent dirs for " + path);
