[HOTFIX] Validate note name (#4632)

jongyoul · Reamer · web-flow · commit f025a697c1d1 · 2023-07-18T15:13:08.000+09:00
* [HOTFIX] Validate note name

* [HOTFIX] Validate note name

* [HOTFIX] Validate note name

* Update zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java

Co-authored-by: Philipp Dallig &lt;philipp.dallig@gmail.com&gt;

* Update zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java

Co-authored-by: Philipp Dallig &lt;philipp.dallig@gmail.com&gt;

* [HOTFIX] Fix commented

---------

Co-authored-by: Philipp Dallig &lt;philipp.dallig@gmail.com&gt;
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java b/zeppelin-server/src/main/java/org/apache/zeppelin/service/NotebookService.java
@@ -24,6 +24,8 @@
 import static org.apache.zeppelin.scheduler.Job.Status.ABORT;
 
 import java.io.IOException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.time.Instant;
@@ -236,6 +238,12 @@ String normalizeNotePath(String notePath) throws IOException {
     }
 
     notePath = notePath.replace("\r", " ").replace("\n", " ");
+
+    notePath = URLDecoder.decode(notePath, StandardCharsets.UTF_8.toString());
+    if (notePath.endsWith("/")) {
+      throw new IOException("Note name shouldn't end with '/'");
+    }
+
     int pos = notePath.lastIndexOf("/");
     if ((notePath.length() - pos) > 255) {
       throw new IOException("Note name must be less than 255");
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java b/zeppelin-server/src/test/java/org/apache/zeppelin/service/NotebookServiceTest.java
@@ -528,5 +528,17 @@ void testNormalizeNotePath() throws IOException {
     } catch (IOException e) {
       assertEquals("Note name can not contain '..'", e.getMessage());
     }
+    try {
+      notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222");
+      fail("Should fail");
+    } catch (IOException e) {
+      assertEquals("Note name can not contain '..'", e.getMessage());
+    }
+    try {
+      notebookService.normalizeNotePath("./");
+      fail("Should fail");
+    } catch (IOException e) {
+      assertEquals("Note name shouldn't end with '/'", e.getMessage());
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -528,5 +528,17 @@ void testNormalizeNotePath() throws IOException {`
`528`	`528`	`} catch (IOException e) {`
`529`	`529`	`assertEquals("Note name can not contain '..'", e.getMessage());`
`530`	`530`	`}`
	`531`	`+ try {`
	`532`	`+ notebookService.normalizeNotePath("%2e%2e/%2e%2e/tmp/test222");`
	`533`	`+ fail("Should fail");`
	`534`	`+ } catch (IOException e) {`
	`535`	`+ assertEquals("Note name can not contain '..'", e.getMessage());`
	`536`	`+ }`
	`537`	`+ try {`
	`538`	`+ notebookService.normalizeNotePath("./");`
	`539`	`+ fail("Should fail");`
	`540`	`+ } catch (IOException e) {`
	`541`	`+ assertEquals("Note name shouldn't end with '/'", e.getMessage());`
	`542`	`+ }`
`531`	`543`	`}`
`532`	`544`	`}`