From 83260278c772e6a92e84081d861a8b5fb6083f21 Mon Sep 17 00:00:00 2001
From: Jack Conradson <osjdconrad@gmail.com>
Date: Fri, 28 Feb 2025 15:09:00 -0800
Subject: [PATCH] remove duplicate paths in FileAccessTree

---
 .../entitlement/runtime/policy/FileAccessTree.java          | 5 +++--
 .../entitlement/runtime/policy/FileAccessTreeTests.java     | 6 ++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
index d46a1aeb7eade..345c43ef11660 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
@@ -153,14 +153,15 @@ private FileAccessTree(
         this.writePaths = pruneSortedPaths(writePaths).toArray(new String[0]);
     }
 
-    private static List<String> pruneSortedPaths(List<String> paths) {
+    // package private for testing
+    static List<String> pruneSortedPaths(List<String> paths) {
         List<String> prunedReadPaths = new ArrayList<>();
         if (paths.isEmpty() == false) {
             String currentPath = paths.get(0);
             prunedReadPaths.add(currentPath);
             for (int i = 1; i < paths.size(); ++i) {
                 String nextPath = paths.get(i);
-                if (isParent(currentPath, nextPath) == false) {
+                if (currentPath.equals(nextPath) == false && isParent(currentPath, nextPath) == false) {
                     prunedReadPaths.add(nextPath);
                     currentPath = nextPath;
                 }
diff --git a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java
index 106a7db84e087..7287e80232dcd 100644
--- a/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java
+++ b/libs/entitlement/src/test/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTreeTests.java
@@ -316,6 +316,12 @@ public void testInvalidExclusiveAccess() {
         assertThat(tree.canWrite(path("a")), is(false));
     }
 
+    public void testDuplicatePrunedPaths() {
+        List<String> paths = List.of("/a", "/a", "/a/b", "/a/b", "/b/c", "b/c/d", "b/c/d", "b/c/d", "e/f", "e/f");
+        paths = FileAccessTree.pruneSortedPaths(paths);
+        assertEquals(List.of("/a", "/b/c", "b/c/d", "e/f"), paths);
+    }
+
     FileAccessTree accessTree(FilesEntitlement entitlement, List<ExclusivePath> exclusivePaths) {
         return FileAccessTree.of("test-component", "test-module", entitlement, TEST_PATH_LOOKUP, exclusivePaths);
     }