[zeppelin] branch master updated: [HOTFIX] Validate note name (#4632)

Mon, 17 Jul 2023 23:14:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

jongyoul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git


The following commit(s) were added to refs/heads/master by this push:
     new f025a697c1 [HOTFIX] Validate note name (#4632)
f025a697c1 is described below

commit f025a697c1d1d0264064d5adf6cb0b20d85041b6
Author: Jongyoul Lee <jongy...@gmail.com>
AuthorDate: Tue Jul 18 15:13:08 2023 +0900

    [HOTFIX] Validate note name (#4632)
    
    * [HOTFIX] Validate note name
    
    * [HOTFIX] Validate note name
    
    * [HOTFIX] Validate note name
    
    * Update 
zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
    
    Co-authored-by: Philipp Dallig <philipp.dal...@gmail.com>
    
    * Update 
zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
    
    Co-authored-by: Philipp Dallig <philipp.dal...@gmail.com>
    
    * [HOTFIX] Fix commented
    
    ---------
    
    Co-authored-by: Philipp Dallig <philipp.dal...@gmail.com>
---
 .../java/org/apache/zeppelin/service/NotebookService.java    |  8 ++++++++
 .../org/apache/zeppelin/service/NotebookServiceTest.java     | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git 
a/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
 
b/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
index 2e98031830..d148150e5f 100644
--- 
a/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
+++ 
b/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
@@ -24,6 +24,8 @@ import static 
org.apache.zeppelin.interpreter.InterpreterResult.Code.ERROR;
 import static org.apache.zeppelin.scheduler.Job.Status.ABORT;
 
 import java.io.IOException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.time.Instant;
@@ -236,6 +238,12 @@ public class NotebookService {
     }
 
     notePath = notePath.replace("\r", " ").replace("\n", " ");
+
+    notePath = URLDecoder.decode(notePath, StandardCharsets.UTF_8.toString());
+    if (notePath.endsWith("/")) {
+      throw new IOException("Note name shouldn't end with '/'");
+    }
+
     int pos = notePath.lastIndexOf("/");
     if ((notePath.length() - pos) > 255) {
       throw new IOException("Note name must be less than 255");
diff --git 
a/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
 
b/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
index d2b7aa78c4..01e81c537c 100644
--- 
a/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
+++ 
b/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
@@ -528,5 +528,17 @@ class NotebookServiceTest {
     } catch (IOException e) {
       assertEquals("Note name can not contain '..'", e.getMessage());
     }
+    try {
+      notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222");
+      fail("Should fail");
+    } catch (IOException e) {
+      assertEquals("Note name can not contain '..'", e.getMessage());
+    }
+    try {
+      notebookService.normalizeNotePath("./");
+      fail("Should fail");
+    } catch (IOException e) {
+      assertEquals("Note name shouldn't end with '/'", e.getMessage());
+    }
   }
 }

Reply via email to