mayankshriv opened a new pull request #7985:
URL: https://github.com/apache/pinot/pull/7985
The `File.getCanonicalPath` method transforms the path into a canonical
form preventing such attack types as `..` in path
segments. If the result of `outputDir.getCanonicalPath()` is not slash
terminated it allows for partial path
traversal.
Consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed
although it is not the
out directory. The terminating slash may be removed in various places. On
Linux `println(new
File("/var/"))` returns /var, but `println(new File("/var", "/"))` -
`/var/`, however `println(new
File("/var", "/").getCanonicalPath())` - `/var`
## Description
<!-- Add a description of your PR here.
A good description should include pointers to an issue or design document,
etc.
-->
## Upgrade Notes
Does this PR prevent a zero down-time upgrade? (Assume upgrade order:
Controller, Broker, Server, Minion)
* [ ] Yes (Please label as **<code>backward-incompat</code>**, and complete
the section below on Release Notes)
Does this PR fix a zero-downtime upgrade introduced earlier?
* [ ] Yes (Please label this as **<code>backward-incompat</code>**, and
complete the section below on Release Notes)
Does this PR otherwise need attention when creating release notes? Things to
consider:
- New configuration options
- Deprecation of configurations
- Signature changes to public methods/interfaces
- New plugins added or old plugins removed
* [ ] Yes (Please label this PR as **<code>release-notes</code>** and
complete the section on Release Notes)
## Release Notes
<!-- If you have tagged this as either backward-incompat or release-notes,
you MUST add text here that you would like to see appear in release notes of
the
next release. -->
<!-- If you have a series of commits adding or enabling a feature, then
add this section only in final commit that marks the feature completed.
Refer to earlier release notes to see examples of text.
-->
## Documentation
<!-- If you have introduced a new feature or configuration, please add it to
the documentation as well.
See
https://docs.pinot.apache.org/developers/developers-and-contributors/update-document
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
