Fix uncontrolled data used in path expression (#4221)

* Fix uncontrolled data used in path expression * update code * update code (cherry picked from commit 34d8515)
apache · Mar 21, 2024 · 9359bc1 · 9359bc1
1 parent aa03dae
commit 9359bc1
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
@@ -58,6 +58,7 @@
 import org.apache.bookkeeper.stats.NullStatsLogger;
 import org.apache.bookkeeper.zookeeper.ZooKeeperClient;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.Op;
@@ -333,6 +334,13 @@ private static LocalBookKeeper getLocalBookiesInternal(ServerConfiguration conf,
      * @throws IOException
      */
     private void serializeLocalBookieConfig(ServerConfiguration localBookieConfig, String fileName) throws IOException {
+        if (StringUtils.isBlank(fileName)
+                || fileName.contains("..")
+                || fileName.contains("/")
+                || fileName.contains("\\")) {
+            throw new IllegalArgumentException("Invalid filename: " + fileName);
+        }
+
         File localBookieConfFile = new File(localBookiesConfigDir, fileName);
         if (localBookieConfFile.exists() && !localBookieConfFile.delete()) {
             throw new IOException(