[Bug] Improper Neutralization in TransactionMetaStoreHandler (CWE-74)

[Crispy-fried-chicken]

Search before reporting

• I searched in the issues and found nothing similar.

Read release policy

• I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

User environment

The pulsar version is the newest version in the master branch

Issue Description

1. Description

A potential injection vulnerability exists in the TransactionMetaStoreHandler.toStringSubscriptionList method. The method constructs a string representation of a subscription list by directly formatting topic and subscription fields using java.lang.String.format without any escaping or neutralization of special characters (e.g., spaces, newlines, or delimiters).

2. Vulnerable Code Snippet

In TransactionMetaStoreHandler.java, the fields are concatenated into a single string:

// File: pulsar-client/.../TransactionMetaStoreHandler.java
private String toStringSubscriptionList(List<Subscription> list) {
    // ... logic for null/empty ...
    StringBuilder builder = new StringBuilder("[");
    for (Subscription subscription : list) {
        // VULNERABILITY: Raw strings are formatted without escaping
        builder.append(String.format("%s %s", subscription.getTopic(), subscription.getSubscription()));
    }
    return builder.append("]").toString();
}

This string is then used to create a description for a transaction operation:

// Line 210 in addSubscriptionToTxn
String description = String.format("Add subscription %s to TXN %s", 
    toStringSubscriptionList(subscriptionList), String.valueOf(txnID));

3. Attack Scenario

Because topic and subscription names can often be influenced by external clients in Apache Pulsar:

1. Log Injection: An attacker could provide a subscription name containing newline characters (\n) and fake log entries (e.g., \n[INFO] Transaction 123 committed successfully). If this description is logged, it can deceive administrators.
2. Structural Ambiguity: If a topic name contains a space, the resulting [Topic Subscription] string becomes ambiguous, potentially misleading downstream components or monitoring tools that parse this description.

4. Suggested Fix

Implement a defensive "Escape" or "Neutralization" strategy. Special characters in the components should be sanitized or the entire list should be serialized using a standard, safe format (like JSON) or a custom escaper.

// Suggested Fix using simple character replacement or a utility
builder.append(String.format("[%s : %s]", 
    sanitize(subscription.getTopic()), 
    sanitize(subscription.getSubscription())));

5. Risk Assessment

• CWE-74: Improper Neutralization of Special Elements in Output.
• Confidence Score: 7/10
• Severity: Low/Medium (Primarily affects auditing, logging, and monitoring integrity).

Error messages

Reproducing the issue

See Issue Description

Additional information

See Issue Description

Are you willing to submit a PR?

• I'm willing to submit a PR!