From 34d85153f7387a5e1012f31d694ce8956eeed275 Mon Sep 17 00:00:00 2001
From: Hang Chen <chenhang@apache.org>
Date: Mon, 4 Mar 2024 12:08:41 +0800
Subject: [PATCH] Fix uncontrolled data used in path expression (#4221)

* Fix uncontrolled data used in path expression

* update code

* update code
---
 .../java/org/apache/bookkeeper/util/LocalBookKeeper.java  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
index dff6d1b8ba4..ca467ab2975 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java
@@ -58,6 +58,7 @@
 import org.apache.bookkeeper.stats.NullStatsLogger;
 import org.apache.bookkeeper.zookeeper.ZooKeeperClient;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.Op;
@@ -333,6 +334,13 @@ private static LocalBookKeeper getLocalBookiesInternal(ServerConfiguration conf,
      * @throws IOException
      */
     private void serializeLocalBookieConfig(ServerConfiguration localBookieConfig, String fileName) throws IOException {
+        if (StringUtils.isBlank(fileName)
+                || fileName.contains("..")
+                || fileName.contains("/")
+                || fileName.contains("\\")) {
+            throw new IllegalArgumentException("Invalid filename: " + fileName);
+        }
+
         File localBookieConfFile = new File(localBookiesConfigDir, fileName);
         if (localBookieConfFile.exists() && !localBookieConfFile.delete()) {
             throw new IOException(