Praveenkumar76 commented on code in PR #25628:
URL: https://github.com/apache/pulsar/pull/25628#discussion_r3172313416
##########
pulsar-package-management/core/src/test/java/org/apache/pulsar/packages/management/core/common/PackageNameTest.java:
##########
@@ -116,4 +116,22 @@ public void testPackageNameErrors() {
PackageName name = PackageName.get("function://public/default/test");
Assert.assertEquals("function://public/default/test@latest",
name.toString());
}
+
+ @Test
+ public void testPathTraversalBypassConstructor() throws Exception {
+ // Create a normal, valid package to bypass the splitter
+ PackageName packageName =
PackageName.get("function://tenant-a/ns/name@v1");
+
+ java.lang.reflect.Field tenantField =
PackageName.class.getDeclaredField("tenant");
+ tenantField.setAccessible(true);
+ tenantField.set(packageName, "tenant-a/../../system-tenant");
Review Comment:
Thanks for the reference
I’ve removed reflection from the tests and added a package-private
constructor annotated with @VisibleForTesting. Regarding exploitability -
agreed that PackageName.get currently blocks this, but this change ensures
defense in depth by making toRestPath() safe regardless of how the object is
created.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
