search

kestra-io / kestra

:zap: Workflow Automation Platform. Orchestrate & Schedule code in any language, run anywhere, 500+ plugins. Alternative to Zapier, Rundeck, Camunda, Airflow...
https://kestra.io
Apache License 2.0
13.1k stars 1.15k forks source link

feat(storage): Add guard for non-relative subpath Kestra URI #6016

Open loveysuby opened 2 days ago

loveysuby commented 2 days ago

What changes are being made and why?

When providing Kestra access URI, an exception handling logic was added to prevent the injected path from being a resource dependent on the base path.

How the changes have been QAed?

    private URI getKestraUri(String tenantId, Path path) {
        Path prefix = (tenantId == null) ?
            basePath.toAbsolutePath():
            basePath.toAbsolutePath().resolve(tenantId);
        subPathParentGuard(path, prefix);
        return URI.create("kestra:///" + prefix.relativize(path).toString().replace("\\", "/"));
    }

    private void subPathParentGuard(Path path, Path prefix) {
        if (!path.toAbsolutePath().startsWith(prefix)) {
            throw new IllegalArgumentException("The path must be a subpath of the base path with the tenant ID.");
        }
    }

Implemented for exception handling logic conventions within the same class. In the basepath branch, the path return logic was unified to resolve to correct readability.

loicmathieu commented 1 day ago

Hi, thanks for your contribution.

Can you add a test for the new behavior?