Skip to content

[Bug] Potential Path Traversal / Injection in PackageName.toRestPath via String.format #25323

New issue
New issue
Open
Open
[Bug] Potential Path Traversal / Injection in PackageName.toRestPath via String.format#25323
Labels
type/bugThe PR fixed a bug or issue reported a bug
@Crispy-fried-chicken

Description

@Crispy-fried-chicken
Crispy-fried-chicken
opened on Mar 15, 2026

Search before reporting

  • I searched in the issues and found nothing similar.

Read release policy

  • I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

User environment

The pulsar version is the newest version in the master branch

Issue Description

1. Description

A security vulnerability has been identified in the PackageName.toRestPath() method. The current implementation uses String.format to build a path string without sanitizing the individual fields.

2. Vulnerable Code Snippet

In PackageName.java, the code is implemented as follows:

public String toRestPath() {
    // The fields (tenant, namespace, etc.) are concatenated without escaping
    return String.format("%s/%s/%s/%s/%s", type, tenant, namespace, name, version);
}

3. Attack Scenario (PoC)

An attacker can provide a malicious packageName to trigger path traversal. For example:

  • Input: public/tenant-a/../../system-tenant/ns/pkg@v1
  • Generated Path: public/tenant-a/../../system-tenant/ns/pkg/v1
  • Resolved Path: public/system-tenant/ns/pkg/v1 (Accessing unintended tenant data)

4. Suggested Fix

To remediate this, use URLEncoder to escape each component before formatting the string. This ensures that characters like / or .. are treated as literal data rather than path instructions.

import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;

public String toRestPath() {
    return String.format("%s/%s/%s/%s/%s", 
        type, 
        URLEncoder.encode(tenant, StandardCharsets.UTF_8),
        URLEncoder.encode(namespace, StandardCharsets.UTF_8),
        URLEncoder.encode(name, StandardCharsets.UTF_8),
        URLEncoder.encode(version, StandardCharsets.UTF_8));
}

5. Impact

  • CWE-74: Improper Neutralization of Special Elements in Output.
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
  • Severity: High (Potential unauthorized access/deletion of package data).

Error messages

Reproducing the issue

See Attack Scenario (PoC) in Issue Description

Additional information

See Attack Scenario (PoC) in Issue Description

Are you willing to submit a PR?

  • I'm willing to submit a PR!

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bugThe PR fixed a bug or issue reported a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions