From e1295cd0e1b098b79911a1f0c46829dbc662acc0 Mon Sep 17 00:00:00 2001 From: chenhang Date: Mon, 4 Mar 2024 09:14:17 +0800 Subject: [PATCH 1/3] Fix uncontrolled data used in path expression --- .../main/java/org/apache/bookkeeper/util/LocalBookKeeper.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java index dff6d1b8ba4..8cdcd1e59f0 100644 --- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java +++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java @@ -333,6 +333,10 @@ private static LocalBookKeeper getLocalBookiesInternal(ServerConfiguration conf, * @throws IOException */ private void serializeLocalBookieConfig(ServerConfiguration localBookieConfig, String fileName) throws IOException { + if (!fileName.endsWith(".conf")) { + throw new IllegalArgumentException("File name should end with .conf"); + } + File localBookieConfFile = new File(localBookiesConfigDir, fileName); if (localBookieConfFile.exists() && !localBookieConfFile.delete()) { throw new IOException( From 81b6ef017894c8ce93b2796cf9230c06b4fbb29b Mon Sep 17 00:00:00 2001 From: chenhang Date: Mon, 4 Mar 2024 09:16:10 +0800 Subject: [PATCH 2/3] update code --- .../main/java/org/apache/bookkeeper/util/LocalBookKeeper.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java index 8cdcd1e59f0..3c4b7d6365e 100644 --- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java +++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java @@ -58,6 +58,7 @@ import org.apache.bookkeeper.stats.NullStatsLogger; import org.apache.bookkeeper.zookeeper.ZooKeeperClient; import org.apache.commons.io.FileUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.Op; @@ -333,7 +334,7 @@ private static LocalBookKeeper getLocalBookiesInternal(ServerConfiguration conf, * @throws IOException */ private void serializeLocalBookieConfig(ServerConfiguration localBookieConfig, String fileName) throws IOException { - if (!fileName.endsWith(".conf")) { + if (StringUtils.isBlank(fileName) || !fileName.endsWith(".conf")) { throw new IllegalArgumentException("File name should end with .conf"); } From ac15d5437da8b9f61e1085d7f787b4eaaebf99ed Mon Sep 17 00:00:00 2001 From: chenhang Date: Mon, 4 Mar 2024 09:24:14 +0800 Subject: [PATCH 3/3] update code --- .../java/org/apache/bookkeeper/util/LocalBookKeeper.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java index 3c4b7d6365e..ca467ab2975 100644 --- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java +++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java @@ -334,8 +334,11 @@ private static LocalBookKeeper getLocalBookiesInternal(ServerConfiguration conf, * @throws IOException */ private void serializeLocalBookieConfig(ServerConfiguration localBookieConfig, String fileName) throws IOException { - if (StringUtils.isBlank(fileName) || !fileName.endsWith(".conf")) { - throw new IllegalArgumentException("File name should end with .conf"); + if (StringUtils.isBlank(fileName) + || fileName.contains("..") + || fileName.contains("/") + || fileName.contains("\\")) { + throw new IllegalArgumentException("Invalid filename: " + fileName); } File localBookieConfFile = new File(localBookiesConfigDir, fileName);