[fix] fix for code scanning alert no. 48: Uncontrolled data used in p…

…ath expression (#23985) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 5812084)
apache · Feb 17, 2025 · 8ee80ff · 8ee80ff
1 parent e729c90
commit 8ee80ff
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/...a/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java b/...a/org/apache/pulsar/packages/management/storage/filesystem/FileSystemPackagesStorage.java
@@ -59,11 +59,14 @@ public class FileSystemPackagesStorage implements PackagesStorage {
     }
 
     private File getPath(String path) throws IOException {
-        if (path.contains("..")) {
+        // Normalize the path to remove any redundant path elements
+        File f = Paths.get(storagePath.toString(), path).normalize().toFile();
+
+        // Ensure the normalized path is still within the storagePath
+        if (!f.getAbsolutePath().startsWith(storagePath.getAbsolutePath())) {
             throw new IOException("Invalid path: " + path);
         }
 
-        File f = Paths.get(storagePath.toString(), path).toFile();
         if (!f.getParentFile().exists()) {
             if (!f.getParentFile().mkdirs()) {
                 throw new RuntimeException("Failed to create parent dirs for " + path);