[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

merlimat · 2025-02-14T02:54:23Z

Potential fix for https://github.com/apache/pulsar/security/code-scanning/48

To fix the problem, we need to enhance the validation of the user-provided path to ensure it does not contain any path traversal sequences or absolute paths. We can achieve this by normalizing the path and ensuring it remains within a predefined base directory.

Normalize the path to remove any redundant path elements.
Ensure the normalized path is still within the intended base directory.
Reject any paths that do not meet these criteria.

doc
doc-required
doc-not-needed
doc-complete

…ath expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

github-actions · 2025-02-14T02:54:53Z

@merlimat Please add the following content to your PR description and select a checkbox:

- [ ] `doc` <!-- Your PR contains doc changes -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update later -->
- [ ] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->

lhotari

LGTM

…ath expression (#23985) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 5812084)

…ath expression (apache#23985) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 5812084) (cherry picked from commit 8ee80ff)

…ath expression (apache#23985) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 5812084) (cherry picked from commit 8e0db38)

[fix] Fix for code scanning alert no. 48: Uncontrolled data used in p…

d97f1b4

…ath expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

github-actions bot added the doc-label-missing label Feb 14, 2025

merlimat marked this pull request as ready for review February 14, 2025 02:54

merlimat added the ready-to-test label Feb 14, 2025

github-actions bot added doc-not-needed Your PR changes do not impact docs and removed doc-label-missing labels Feb 14, 2025

merlimat changed the title ~~Potential fix for code scanning alert no. 48: Uncontrolled data used in path expression~~ [fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression Feb 14, 2025

lhotari approved these changes Feb 14, 2025

View reviewed changes

lhotari added this to the 4.1.0 milestone Feb 14, 2025

lhotari added release/3.0.10 release/3.3.5 release/4.0.3 labels Feb 14, 2025

merlimat merged commit 5812084 into master Feb 14, 2025
57 of 65 checks passed

lhotari mentioned this pull request Feb 17, 2025

[improve] Validate user paths in Functions utils #22833

Merged

4 tasks

lhotari added the cherry-picked/branch-3.3 label Feb 17, 2025

lhotari added the cherry-picked/branch-4.0 label Feb 17, 2025

lhotari added the cherry-picked/branch-3.0 label Feb 17, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

merlimat commented Feb 14, 2025 •

edited

Loading

github-actions bot commented Feb 14, 2025

lhotari left a comment

[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

Conversation

merlimat commented Feb 14, 2025 • edited Loading

github-actions bot commented Feb 14, 2025

lhotari left a comment

Choose a reason for hiding this comment

merlimat commented Feb 14, 2025 •

edited

Loading