Code Review Update 3rd:

- Fixed CodeQL: Uncontrolled data used in path expression
apache · Sep 22, 2024 · b4a834e · b4a834e
1 parent abda5a4
commit b4a834e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/...cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageConstants.java b/...cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageConstants.java
@@ -26,6 +26,5 @@ public class CosStorageConstants {
     public static final String TENCENT_CLOUD_ACCESS_KEY_ID = "resource.tencent.cloud.access.key.id";
     public static final String TENCENT_CLOUD_ACCESS_KEY_SECRET = "resource.tencent.cloud.access.key.secret";
 
-    public static final String ILLEGAL_DOWNLOAD_PATH_PREFIX_ETC = "/etc";
     public static final String DEFAULT_COS_RESOURCE_UPLOAD_PATH = "/dolphinscheduler";
 }
diff --git a/...-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperator.java b/...-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperator.java
@@ -134,11 +134,14 @@ public void createStorageDir(String directoryAbsolutePath) {
     @Override
     public void download(String srcFilePath, String dstFilePath, boolean overwrite) {
         String cosKey = transformAbsolutePathToCOSKey(srcFilePath);
-        Path normalizedFilePath = Paths.get(dstFilePath).normalize();
-        if (normalizedFilePath.startsWith(CosStorageConstants.ILLEGAL_DOWNLOAD_PATH_PREFIX_ETC)) {
-            throw new IllegalArgumentException("failed to download to " + normalizedFilePath);
+        Path dsTempFolder = Paths.get(FileUtils.DATA_BASEDIR).normalize().toAbsolutePath();
+        Path fileDownloadPathNormalized = dsTempFolder.resolve(dstFilePath).normalize().toAbsolutePath();
+        if (!fileDownloadPathNormalized.startsWith(dsTempFolder)) {
+            // if the destination file path is NOT in DS temp folder (e.g., '/tmp/dolphinscheduler'),
+            // an IllegalArgumentException should be thrown.
+            throw new IllegalArgumentException("failed to download to " + fileDownloadPathNormalized);
         }
-        File dstFile = normalizedFilePath.toFile();
+        File dstFile = fileDownloadPathNormalized.toFile();
         if (dstFile.isDirectory()) {
             Files.delete(dstFile.toPath());
         } else {