(iotdb) branch dev/1.3 updated: Fix path attack when loading snapshot of IoTConsensus (#16098)

[jiangtian]

This is an automated email from the ASF dual-hosted git repository.

jiangtian pushed a commit to branch dev/1.3
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/dev/1.3 by this push:
     new 6c275186107 Fix path attack when loading snapshot of IoTConsensus 
(#16098)
6c275186107 is described below

commit 6c27518610776be16dc998403918e978968a7325
Author: Jiang Tian <jt2594...@163.com>
AuthorDate: Tue Aug 5 14:20:20 2025 +0800

    Fix path attack when loading snapshot of IoTConsensus (#16098)
    
    (cherry picked from commit f907bd3eb07523ec40eb0079c8601d961b07b184)
---
 .../consensus/iot/IoTConsensusServerImpl.java      | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git 
a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/IoTConsensusServerImpl.java
 
b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/IoTConsensusServerImpl.java
index dab767bc9da..3002b018e3e 100644
--- 
a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/IoTConsensusServerImpl.java
+++ 
b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/IoTConsensusServerImpl.java
@@ -358,7 +358,7 @@ public class IoTConsensusServerImpl {
       throws ConsensusGroupModifyPeerException {
     try {
       String targetFilePath = calculateSnapshotPath(snapshotId, 
originalFilePath);
-      File targetFile = new File(storageDir, targetFilePath);
+      File targetFile = getSnapshotPath(targetFilePath);
       Path parentDir = Paths.get(targetFile.getParent());
       if (!Files.exists(parentDir)) {
         Files.createDirectories(parentDir);
@@ -405,7 +405,23 @@ public class IoTConsensusServerImpl {
 
   public void loadSnapshot(String snapshotId) {
     // TODO: (xingtanzjr) throw exception if the snapshot load failed
-    stateMachine.loadSnapshot(new File(storageDir, snapshotId));
+    stateMachine.loadSnapshot(getSnapshotPath(snapshotId));
+  }
+
+  private File getSnapshotPath(String snapshotRelativePath) {
+    File storageDirFile = new File(storageDir);
+    File snapshotDir = new File(storageDir, snapshotRelativePath);
+    try {
+      if (!snapshotDir
+          .getCanonicalFile()
+          .toPath()
+          .startsWith(storageDirFile.getCanonicalFile().toPath())) {
+        throw new IllegalArgumentException("Invalid snapshotRelativePath: " + 
snapshotRelativePath);
+      }
+    } catch (IOException e) {
+      throw new IllegalArgumentException(e);
+    }
+    return snapshotDir;
   }
 
   @FunctionalInterface
@@ -816,7 +832,7 @@ public class IoTConsensusServerImpl {
   }
 
   public void cleanupSnapshot(String snapshotId) throws 
ConsensusGroupModifyPeerException {
-    File snapshotDir = new File(storageDir, snapshotId);
+    File snapshotDir = getSnapshotPath(snapshotId);
     if (snapshotDir.exists()) {
       try {
         FileUtils.deleteDirectory(snapshotDir);