dybyte commented on code in PR #10628:
URL: https://github.com/apache/seatunnel/pull/10628#discussion_r2975831853
##########
seatunnel-e2e/seatunnel-engine-e2e/connector-seatunnel-e2e-base/src/test/java/org/apache/seatunnel/engine/e2e/joblog/JobLogIT.java:
##########
@@ -105,6 +105,42 @@ public void tearDown() throws Exception {
}
}
+ @Test
+ public void testPathTraversalAttackPrevention() throws IOException,
InterruptedException {
+ // Test path traversal with Unix-style relative path
+ Container.ExecResult result =
+ server.execInContainer(
+ "sh",
+ "-c",
+ "curl -s -o /dev/null -w '%{http_code}'
'http://localhost:8080/log/../../etc/passwd'");
+ Assertions.assertEquals(
+ "400",
+ result.getStdout().trim(),
+ "Path traversal attack with ../../etc/passwd should be blocked
with HTTP 400");
+
+ // Test path traversal with deeper relative path
+ result =
+ server.execInContainer(
+ "sh",
+ "-c",
+ "curl -s -o /dev/null -w '%{http_code}'
'http://localhost:8080/log/../../../etc/shadow'");
Review Comment:
ditto
##########
seatunnel-e2e/seatunnel-engine-e2e/connector-seatunnel-e2e-base/src/test/java/org/apache/seatunnel/engine/e2e/joblog/JobLogIT.java:
##########
@@ -105,6 +105,42 @@ public void tearDown() throws Exception {
}
}
+ @Test
+ public void testPathTraversalAttackPrevention() throws IOException,
InterruptedException {
+ // Test path traversal with Unix-style relative path
+ Container.ExecResult result =
+ server.execInContainer(
+ "sh",
+ "-c",
+ "curl -s -o /dev/null -w '%{http_code}'
'http://localhost:8080/log/../../etc/passwd'");
Review Comment:
Could we add `--path-as-is` here? curl may normalize `/../` by default, so
the traversal payload might not reach the server unchanged.
##########
seatunnel-e2e/seatunnel-engine-e2e/connector-seatunnel-e2e-base/src/test/java/org/apache/seatunnel/engine/e2e/joblog/JobLogIT.java:
##########
@@ -105,6 +105,42 @@ public void tearDown() throws Exception {
}
}
+ @Test
+ public void testPathTraversalAttackPrevention() throws IOException,
InterruptedException {
+ // Test path traversal with Unix-style relative path
+ Container.ExecResult result =
+ server.execInContainer(
+ "sh",
+ "-c",
+ "curl -s -o /dev/null -w '%{http_code}'
'http://localhost:8080/log/../../etc/passwd'");
+ Assertions.assertEquals(
+ "400",
+ result.getStdout().trim(),
+ "Path traversal attack with ../../etc/passwd should be blocked
with HTTP 400");
+
+ // Test path traversal with deeper relative path
+ result =
+ server.execInContainer(
+ "sh",
+ "-c",
+ "curl -s -o /dev/null -w '%{http_code}'
'http://localhost:8080/log/../../../etc/shadow'");
+ Assertions.assertEquals(
+ "400",
+ result.getStdout().trim(),
+ "Path traversal attack with ../../../etc/shadow should be
blocked with HTTP 400");
+
+ // Test path traversal via /logs endpoint (all node log)
+ result =
+ server.execInContainer(
+ "sh",
+ "-c",
+ "curl -s -o /dev/null -w '%{http_code}'
'http://localhost:8080/logs/../../etc/passwd'");
Review Comment:
ditto
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
