Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

Merged
merged 1 commit into from
Feb 14, 2025
Merged

[fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression #23985

merged 1 commit into from
Feb 14, 2025
+5 −2

Conversation

merlimat
Copy link
Contributor

@merlimat merlimat commented Feb 14, 2025
edited
Loading

Potential fix for https://github.com/apache/pulsar/security/code-scanning/48

To fix the problem, we need to enhance the validation of the user-provided path to ensure it does not contain any path traversal sequences or absolute paths. We can achieve this by normalizing the path and ensuring it remains within a predefined base directory.

  1. Normalize the path to remove any redundant path elements.
  2. Ensure the normalized path is still within the intended base directory.
  3. Reject any paths that do not meet these criteria.
  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@merlimat @github-advanced-security
[fix] Fix for code scanning alert no. 48: Uncontrolled data used in p…
d97f1b4 
…ath expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions GitHub Actions
Copy link

@merlimat Please add the following content to your PR description and select a checkbox:

- [ ] `doc` <!-- Your PR contains doc changes -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update later -->
- [ ] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->

@merlimat merlimat marked this pull request as ready for review February 14, 2025 02:54
@github-actions github-actions bot added doc-not-needed Your PR changes do not impact docs and removed doc-label-missing labels Feb 14, 2025
@merlimat merlimat changed the title Potential fix for code scanning alert no. 48: Uncontrolled data used in path expression [fix] fix for code scanning alert no. 48: Uncontrolled data used in path expression Feb 14, 2025
lhotari
lhotari approved these changes Feb 14, 2025
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lhotari lhotari added this to the 4.1.0 milestone Feb 14, 2025
@merlimat merlimat merged commit 5812084 into master Feb 14, 2025
57 of 65 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.10 release/3.3.5 release/4.0.3
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@merlimat @lhotari