github-actions[bot] opened a new pull request, #67913: URL: https://github.com/apache/airflow/pull/67913
GCS object names are read from the source bucket and may contain ".." segments. GCSToSambaOperator._resolve_destination_path joined the object name onto the configured destination_path without normalisation, so a crafted object name could resolve an SMB write target outside the intended directory. Normalise the resolved path and refuse to write when it falls outside destination_path. (cherry picked from commit bc1df029af15cb1d35d5ca0d33bf9235500137cc) Co-authored-by: Jarek Potiuk <[email protected]> Generated-by: Claude Opus 4.8 (1M context) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
