Skip to content

Fix prefix-boundary hole in filer root-escape checks#5497

Merged
simonfaltum merged 5 commits into
mainfrom
simonfaltum/b5-filer-root-escape
Jul 1, 2026
Merged

Fix prefix-boundary hole in filer root-escape checks#5497
simonfaltum merged 5 commits into
mainfrom
simonfaltum/b5-filer-root-escape

Conversation

@simonfaltum

Copy link
Copy Markdown
Member

Why

Found during a full-repo review of the CLI. All filers guard against relative paths escaping their root, but the guard in libs/filer/workspace_root_path.go and libs/filer/local_root_path.go was a bare string prefix check. A path that resolves to a sibling directory sharing the root as a name prefix slipped through: with root /Users/me/proj, joining ../proj-evil/x resolves to /Users/me/proj-evil/x, which passes strings.HasPrefix. Every filer (workspace files, DBFS, UC volumes, local) shares these helpers, and bundle init templates write template-author-controlled paths through them.

Changes

Before, a joined path only had to start with the root string; now it must either be exactly the root or extend it past a separator boundary.

  • WorkspaceRootPath.Join and localRootPath.Join compare against the root with a trailing separator and explicitly allow the exact-root result. Joins like ReadDir(".") resolve to exactly the root and keep working.
  • Filers rooted at / (used by the fs commands) keep working: the separator is only appended when the cleaned root does not already end in one. Same for Windows drive roots like C:\.
  • The unrooted local filer (NewLocalRootPath(""), used by fs for local paths) keeps accepting any path.

Test plan

  • Added sibling-prefix escape cases (../path-evil, ../path-evil/x, ../pathx) to libs/filer/workspace_root_path_test.go and libs/filer/local_root_path_test.go (Unix and Windows variants); these fail without the fix
  • Added escape-and-re-enter cases asserting ../path/x still joins under the root
  • Added TestLocalRootPathEmptyRoot covering the unrooted local filer passthrough
  • Existing exact-root cases (Join(""), Join("."), Join("/")) pass unchanged
  • go test ./libs/filer/ passes
  • go test ./libs/template/... ./libs/sync/... (direct consumers of these helpers) passes
  • ./task fmt-q, ./task lint-q, ./task checks pass

This pull request and its description were written by Isaac.

The root containment check in WorkspaceRootPath.Join and
localRootPath.Join used a bare prefix match, so paths resolving to a
sibling directory that shares the root as a string prefix (for example
"/root-evil" for root "/root") passed the check. Require a separator
boundary after the root, keep exact-root joins allowed, and preserve
the unrooted local filer and "/"-rooted filer behavior.

Co-authored-by: Isaac
@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Integration test report

Commit: 852d619

Run: 28501470001

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 3 13 230 1037 7:57
🟨​ aws windows 7 3 13 232 1035 5:43
🔄​ aws-ucws linux 1 9 13 314 955 12:21
💚​ aws-ucws windows 10 13 316 953 3:40
🟨​ azure linux 3 1 15 230 1036 9:08
🟨​ azure windows 3 1 15 232 1034 5:48
🟨​ azure-ucws linux 1 1 15 316 952 13:58
💚​ azure-ucws windows 4 15 318 950 3:17
💚​ gcp linux 4 15 229 1038 7:38
💚​ gcp windows 4 15 231 1036 2:32
23 interesting tests: 13 SKIP, 10 KNOWN
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/recreate/embedding_dimension 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestFetchRepositoryInfoAPI_FromRepo 💚​R 💚​R 🔄​f 💚​R 🟨​K 🟨​K 🟨​K 💚​R 💚​R 💚​R
🟨​ TestFetchRepositoryInfoAPI_FromRepo/root 💚​R 💚​R 💚​R 💚​R 🟨​K 🟨​K 💚​R 💚​R 💚​R
🟨​ TestFetchRepositoryInfoAPI_FromRepo/subdir 💚​R 💚​R 💚​R 💚​R 🟨​K 🟨​K 💚​R 💚​R 💚​R
Top 2 slowest tests (at least 2 minutes):
duration env testname
2:13 azure linux TestFsCpDirToDirWithOverwriteFlag/dbfs_to_dbfs
2:10 aws-ucws windows TestAccept

Co-authored-by: Isaac
@simonfaltum simonfaltum requested review from janniklasrose and removed request for shreyas-goenka June 12, 2026 10:45
Comment thread libs/filer/local_root_path.go
@simonfaltum simonfaltum added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit 1525370 Jul 1, 2026
27 checks passed
@simonfaltum simonfaltum deleted the simonfaltum/b5-filer-root-escape branch July 1, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants