Crispy-fried-chicken opened a new issue, #25323: URL: https://github.com/apache/pulsar/issues/25323
### Search before reporting - [x] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Read release policy - [x] I understand that [unsupported versions](https://pulsar.apache.org/contribute/release-policy/#supported-versions) don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker. ### User environment The pulsar version is the newest version in the master branch ### Issue Description ### 1. Description A security vulnerability has been identified in the `PackageName.toRestPath()` method. The current implementation uses `String.format` to build a path string without sanitizing the individual fields. ### 2. Vulnerable Code Snippet In `PackageName.java`, the code is implemented as follows: ```java public String toRestPath() { // The fields (tenant, namespace, etc.) are concatenated without escaping return String.format("%s/%s/%s/%s/%s", type, tenant, namespace, name, version); } ``` ### 3. Attack Scenario (PoC) An attacker can provide a malicious `packageName` to trigger path traversal. For example: - **Input:** `public/tenant-a/../../system-tenant/ns/pkg@v1` - **Generated Path:** `public/tenant-a/../../system-tenant/ns/pkg/v1` - **Resolved Path:** `public/system-tenant/ns/pkg/v1` (Accessing unintended tenant data) ### 4. Suggested Fix To remediate this, use `URLEncoder` to escape each component before formatting the string. This ensures that characters like `/` or `..` are treated as literal data rather than path instructions. ```java import java.net.URLEncoder; import java.nio.charset.StandardCharsets; public String toRestPath() { return String.format("%s/%s/%s/%s/%s", type, URLEncoder.encode(tenant, StandardCharsets.UTF_8), URLEncoder.encode(namespace, StandardCharsets.UTF_8), URLEncoder.encode(name, StandardCharsets.UTF_8), URLEncoder.encode(version, StandardCharsets.UTF_8)); } ``` ### 5. Impact - **CWE-74**: Improper Neutralization of Special Elements in Output. - **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). - **Severity**: High (Potential unauthorized access/deletion of package data). ### Error messages ```text ``` ### Reproducing the issue See Attack Scenario (PoC) in Issue Description ### Additional information See Attack Scenario (PoC) in Issue Description ### Are you willing to submit a PR? - [x] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
