From f025a697c1d1d0264064d5adf6cb0b20d85041b6 Mon Sep 17 00:00:00 2001
From: Jongyoul Lee <jongyoul@gmail.com>
Date: Tue, 18 Jul 2023 15:13:08 +0900
Subject: [PATCH] [HOTFIX] Validate note name (#4632)

* [HOTFIX] Validate note name

* [HOTFIX] Validate note name

* [HOTFIX] Validate note name

* Update zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java

Co-authored-by: Philipp Dallig <philipp.dallig@gmail.com>

* Update zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java

Co-authored-by: Philipp Dallig <philipp.dallig@gmail.com>

* [HOTFIX] Fix commented

---------

Co-authored-by: Philipp Dallig <philipp.dallig@gmail.com>
---
 .../org/apache/zeppelin/service/NotebookService.java |  8 ++++++++
 .../apache/zeppelin/service/NotebookServiceTest.java | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java b/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
index 2e980318307..d148150e5f6 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
@@ -24,6 +24,8 @@
 import static org.apache.zeppelin.scheduler.Job.Status.ABORT;
 
 import java.io.IOException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.time.Instant;
@@ -236,6 +238,12 @@ String normalizeNotePath(String notePath) throws IOException {
     }
 
     notePath = notePath.replace("\r", " ").replace("\n", " ");
+
+    notePath = URLDecoder.decode(notePath, StandardCharsets.UTF_8.toString());
+    if (notePath.endsWith("/")) {
+      throw new IOException("Note name shouldn't end with '/'");
+    }
+
     int pos = notePath.lastIndexOf("/");
     if ((notePath.length() - pos) > 255) {
       throw new IOException("Note name must be less than 255");
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java b/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
index d2b7aa78c40..01e81c537c5 100644
--- a/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
+++ b/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
@@ -528,5 +528,17 @@ void testNormalizeNotePath() throws IOException {
     } catch (IOException e) {
       assertEquals("Note name can not contain '..'", e.getMessage());
     }
+    try {
+      notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222");
+      fail("Should fail");
+    } catch (IOException e) {
+      assertEquals("Note name can not contain '..'", e.getMessage());
+    }
+    try {
+      notebookService.normalizeNotePath("./");
+      fail("Should fail");
+    } catch (IOException e) {
+      assertEquals("Note name shouldn't end with '/'", e.getMessage());
+    }
   }
 }