[fix][sec] Prevent path traversal in PackageName toRestPath#25628
Merged
lhotari merged 4 commits intoapache:masterfrom May 2, 2026
Merged
[fix][sec] Prevent path traversal in PackageName toRestPath#25628lhotari merged 4 commits intoapache:masterfrom
lhotari merged 4 commits intoapache:masterfrom
Conversation
…pplying URLEncoder and adding test to validate fix
…liant path encoding
nodece
approved these changes
Apr 30, 2026
merlimat
approved these changes
Apr 30, 2026
lhotari
reviewed
Apr 30, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Hardens PackageName.toRestPath() against CWE-22 path traversal by percent-encoding each REST path component, adding a regression test intended to validate safety even when constructor validation is bypassed.
Changes:
- Encode
tenant,namespace,name, andversioninPackageName.toRestPath()using GuavaUrlEscapers.urlPathSegmentEscaper(). - Add a reflection-based unit test that injects traversal-like content into
tenantand asserts the resulting REST path is safely encoded.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/common/PackageName.java | Escapes REST path components to prevent path traversal through untrusted/malicious values. |
| pulsar-package-management/core/src/test/java/org/apache/pulsar/packages/management/core/common/PackageNameTest.java | Adds a test intended to prove traversal payloads are encoded even if object state is tampered with via reflection. |
…ing @VisibleForTesting, and improve validation clarity
Praveenkumar76
force-pushed
the
fix/path-traversal
branch
from
7a95c94 to
90f8f55
Compare
Member
|
Thanks for the contribution @Praveenkumar76 |
Member
To retry CI after it fails due to flaky tests, add a comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #25323
Motivation
A potential path traversal vulnerability (CWE-22) exists in
PackageName.toRestPath().The method builds REST path segments using package fields such as tenant, namespace, name, and version. These values were previously concatenated directly into the generated path without URL encoding.
Although current constructor validation blocks malformed input (like extra slashes) in normal flows, relying only on upstream validation violates the principle of Defense in Depth. If object construction is bypassed through reflection, deserialization, future code changes, or alternate call paths, malicious values containing traversal sequences such as
../could be propagated directly into generated REST paths.This change applies defense-in-depth by ensuring
toRestPath()safely encodes path components according to RFC 3986 before constructing the final path.Modifications
Updated
PackageName.toRestPath()to safely encode:tenantnamespacenameversionUsed Guava's
UrlEscapers.urlPathSegmentEscaper().escape(...)to construct the components. This correctly follows RFC 3986 for URL paths (converting spaces to%20and slashes to%2F) and avoids the+space-encoding issue caused by standardURLEncoder, without requiring new external HTTP dependencies.Added a reflection-based unit test (
testPathTraversalBypassConstructor) to explicitly verify traversal payloads are encoded safely even when constructor validation is bypassed.Verifying this change
This change added tests and can be verified as follows:
../../) and verifies the output path is safely encoded.Example verification command:
./gradlew :pulsar-package-management:pulsar-package-core:test --tests "PackageNameTest"Does this pull request potentially affect one of the following parts: