Crispy-fried-chicken opened a new issue, #25324: URL: https://github.com/apache/pulsar/issues/25324
### Search before reporting - [x] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Read release policy - [x] I understand that [unsupported versions](https://pulsar.apache.org/contribute/release-policy/#supported-versions) don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker. ### User environment The pulsar version is the newest version in the master branch ### Issue Description ### 1. Description A potential injection vulnerability exists in the `TransactionMetaStoreHandler.toStringSubscriptionList` method. The method constructs a string representation of a subscription list by directly formatting `topic` and `subscription` fields using `java.lang.String.format` without any escaping or neutralization of special characters (e.g., spaces, newlines, or delimiters). ### 2. Vulnerable Code Snippet In `TransactionMetaStoreHandler.java`, the fields are concatenated into a single string: ```java // File: pulsar-client/.../TransactionMetaStoreHandler.java private String toStringSubscriptionList(List<Subscription> list) { // ... logic for null/empty ... StringBuilder builder = new StringBuilder("["); for (Subscription subscription : list) { // VULNERABILITY: Raw strings are formatted without escaping builder.append(String.format("%s %s", subscription.getTopic(), subscription.getSubscription())); } return builder.append("]").toString(); } ``` This string is then used to create a `description` for a transaction operation: ```java // Line 210 in addSubscriptionToTxn String description = String.format("Add subscription %s to TXN %s", toStringSubscriptionList(subscriptionList), String.valueOf(txnID)); ``` ### 3. Attack Scenario Because `topic` and `subscription` names can often be influenced by external clients in Apache Pulsar: 1. **Log Injection**: An attacker could provide a subscription name containing newline characters (`\n`) and fake log entries (e.g., `\n[INFO] Transaction 123 committed successfully`). If this `description` is logged, it can deceive administrators. 2. **Structural Ambiguity**: If a topic name contains a space, the resulting `[Topic Subscription]` string becomes ambiguous, potentially misleading downstream components or monitoring tools that parse this description. ### 4. Suggested Fix Implement a defensive "Escape" or "Neutralization" strategy. Special characters in the components should be sanitized or the entire list should be serialized using a standard, safe format (like JSON) or a custom escaper. ```java // Suggested Fix using simple character replacement or a utility builder.append(String.format("[%s : %s]", sanitize(subscription.getTopic()), sanitize(subscription.getSubscription()))); ``` ### 5. Risk Assessment - **CWE-74**: Improper Neutralization of Special Elements in Output. - **Confidence Score**: 7/10 - **Severity**: Low/Medium (Primarily affects auditing, logging, and monitoring integrity). ### Error messages ```text ``` ### Reproducing the issue See Issue Description ### Additional information See Issue Description ### Are you willing to submit a PR? - [x] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
