HyukjinKwon commented on code in PR #44109:
URL: https://github.com/apache/spark/pull/44109#discussion_r1413236630
##########
connector/connect/common/src/main/scala/org/apache/spark/sql/connect/client/ArtifactManager.scala:
##########
@@ -408,14 +432,28 @@ object Artifact {
jars.map(p => Paths.get(p)).map(path => newJarArtifact(path.getFileName,
new LocalFile(path)))
}
+ private def concatenatePaths(basePath: Path, otherPath: Path): Path = {
+ // We avoid using the `.resolve()` method here to ensure that we're
concatenating the two
+ // paths even if `otherPath` is absolute.
+ val concatenatedPath = Paths.get(basePath.toString + "/" +
otherPath.toString)
+ // Note: The normalized resulting path may still reference parent
directories if the
+ // `otherPath` contains sufficient number of parent operators (i.e "..").
+ // Example: `basePath` = "/base", `otherPath` = "subdir/../../file.txt"
+ // Then, `concatenatedPath` = "/base/subdir/../../file.txt"
+ // and `normalizedPath` = "/base/file.txt".
+ val normalizedPath = concatenatedPath.normalize()
+ // Verify that the prefix of the `normalizedPath` starts with `basePath/`.
+ require(normalizedPath != basePath &&
normalizedPath.startsWith(s"$basePath/"))
Review Comment:
```suggestion
require(normalizedPath != basePath &&
normalizedPath.startsWith(s"$basePath${File.separator}"))
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
