Praveenkumar76 commented on code in PR #25628:
URL: https://github.com/apache/pulsar/pull/25628#discussion_r3172283893
##########
pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/common/PackageName.java:
##########
@@ -136,7 +137,13 @@ public String toString() {
}
public String toRestPath() {
- return String.format("%s/%s/%s/%s/%s", type, tenant, namespace, name,
version);
+ // Use Guava's urlPathSegmentEscaper to safely encode each segment and
prevents Path Traversal (CWE-22)
+ return String.format("%s/%s/%s/%s/%s",
+ type.toString(),
+ UrlEscapers.urlPathSegmentEscaper().escape(tenant),
+ UrlEscapers.urlPathSegmentEscaper().escape(namespace),
+ UrlEscapers.urlPathSegmentEscaper().escape(name),
+ UrlEscapers.urlPathSegmentEscaper().escape(version));
Review Comment:
Yes, it violates the DRY principle. I've updated the code to extract
`UrlEscapers.urlPathSegmentEscaper()` into a local variable and reused it for
the escape calls to avoid redundant invocations.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
