adnanhemani commented on PR #1604:
URL: https://github.com/apache/polaris/pull/1604#issuecomment-2892234327
> Can you elaborate on when .. would be a valid in a path? For me, .. is a
path-traversal in the presence of it raises the question "why is this not the
source of a path-traversal-attack".
Blob Storage providers like S3 and GCS do not recognize ".." as a path
traversal. If you store an object in S3 with the path "s3://abcd/a/b/../c", S3
stores the object exactly as such - it will not normalize the path into
"s3://abcd/a/c". While it may be an anti-pattern to make such a location, we
should not deviate from what the blob storage provider allows/does. The same
can be said about multiple forward slashes together ("s3://abcd/a/b//c" is not
the same as "s3://abcd/a/b/c").
As a result, we should only allow ".." and "." normalization in local
filesystem calls where these can be resolved - and those are the code paths
where Java URI is being used in this PR. WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
