davidzollo opened a new pull request, #10628: URL: https://github.com/apache/seatunnel/pull/10628
## Purpose Fix a path traversal vulnerability (CWE-22) in the log file REST API endpoints that allows arbitrary file read outside the configured log directory. ## Affected Endpoints - `/hazelcast/rest/maps/log/<path>` (current node log) - `/hazelcast/rest/maps/logs/<path>` (all node log) Both the legacy Hazelcast REST handler and the Jetty servlet code paths are affected. ## Root Cause The `logName` parameter extracted from the request URI is concatenated directly into a file path without any sanitization. An attacker can use path traversal sequences (e.g., `../../etc/passwd`) to read arbitrary files on the server. ## Fix Add canonical path validation in `prepareLogResponse()` for both code paths: 1. `RestHttpGetCommandProcessor` (legacy Hazelcast handler) 2. `LogBaseServlet` (Jetty servlet base class) The fix resolves the constructed file path to its canonical form via `File.getCanonicalPath()` and verifies it remains within the configured log directory boundary. Requests attempting to escape the log directory are rejected with HTTP 400. ## Changed Files - `seatunnel-engine/seatunnel-engine-server/.../rest/RestHttpGetCommandProcessor.java` - `seatunnel-engine/seatunnel-engine-server/.../rest/servlet/LogBaseServlet.java` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
