[PR] [fix][sec] Prevent path traversal in PackageName toRestPath [pulsar]

[via GitHub]

Praveenkumar76 opened a new pull request, #25628:
URL: https://github.com/apache/pulsar/pull/25628

   Fixes #25323
   
   ### Motivation
   
   A potential path traversal vulnerability exists in 
`PackageName.toRestPath()`.
   
   The method builds REST path segments using package fields such as tenant, 
namespace, name, and version. These values were previously concatenated 
directly into the generated path without URL encoding.
   
   Although current constructor validation blocks malformed input in normal 
flows, relying only on upstream validation is insufficient. If object 
construction is bypassed through reflection, deserialization, future code 
changes, or alternate call paths, malicious values containing traversal 
sequences such as `../` could be propagated into generated REST paths.
   
   This change applies defense-in-depth by ensuring `toRestPath()` safely 
encodes path components before constructing the final path.
   
   
   ### Modifications
   
   - Updated `PackageName.toRestPath()` to URL-encode:
     - `tenant`
     - `namespace`
     - `name`
     - `version`
   
   - Used `URLEncoder.encode(..., StandardCharsets.UTF_8)` when constructing 
REST path components.
   
   - Added unit test coverage to verify traversal payloads are encoded safely 
even when constructor validation is bypassed.
   
   - Confirmed existing valid package names continue to generate expected REST 
paths.
   
   
   ### Verifying this change
   
   This change added tests and can be verified as follows:
   
   - Ran package management module tests successfully.
   - Added a test that injects traversal-like values (for example `../../`) and 
verifies the output path is safely encoded.
   - Confirmed normal package name inputs continue to behave correctly.
   
   Example verification command:
   
   ```bash
   ./gradlew :pulsar-package-management:pulsar-package-core:test --tests 
"PackageNameTest"
   ```
   
   *Does this pull request potentially affect one of the following parts:*
   
   - [ ] Dependencies (add or upgrade a dependency)
   - [ ] The public API
   - [ ] The schema
   - [ ] The default values of configurations
   - [ ] The threading model
   - [ ] The binary protocol
   - [ ] The REST endpoints
   - [ ] The admin CLI options
   - [ ] The metrics
   - [ ] Anything that affects deployment


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org