(bookkeeper) branch master updated: Fix uncontrolled data used in path expression (#4221)

[mmerli]

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new 34d85153f7 Fix uncontrolled data used in path expression (#4221)
34d85153f7 is described below

commit 34d85153f7387a5e1012f31d694ce8956eeed275
Author: Hang Chen <chenh...@apache.org>
AuthorDate: Mon Mar 4 12:08:41 2024 +0800

    Fix uncontrolled data used in path expression (#4221)
    
    * Fix uncontrolled data used in path expression
    
    * update code
    
    * update code
---
 .../src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git 
a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
 
b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
index dff6d1b8ba..ca467ab297 100644
--- 
a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
+++ 
b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
@@ -58,6 +58,7 @@ import 
org.apache.bookkeeper.shims.zk.ZooKeeperServerShimFactory;
 import org.apache.bookkeeper.stats.NullStatsLogger;
 import org.apache.bookkeeper.zookeeper.ZooKeeperClient;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.Op;
@@ -333,6 +334,13 @@ public class LocalBookKeeper implements AutoCloseable {
      * @throws IOException
      */
     private void serializeLocalBookieConfig(ServerConfiguration 
localBookieConfig, String fileName) throws IOException {
+        if (StringUtils.isBlank(fileName)
+                || fileName.contains("..")
+                || fileName.contains("/")
+                || fileName.contains("\\")) {
+            throw new IllegalArgumentException("Invalid filename: " + 
fileName);
+        }
+
         File localBookieConfFile = new File(localBookiesConfigDir, fileName);
         if (localBookieConfFile.exists() && !localBookieConfFile.delete()) {
             throw new IOException(