Skip to content

Fix prefix-boundary hole in filer root-escape checks#5497

Open
simonfaltum wants to merge 2 commits into
mainfrom
simonfaltum/b5-filer-root-escape
Open

Fix prefix-boundary hole in filer root-escape checks#5497
simonfaltum wants to merge 2 commits into
mainfrom
simonfaltum/b5-filer-root-escape

Conversation

@simonfaltum

@simonfaltum simonfaltum commented Jun 9, 2026

Copy link
Copy Markdown
Member

Why

Found during a full-repo review of the CLI. All filers guard against relative paths escaping their root, but the guard in libs/filer/workspace_root_path.go and libs/filer/local_root_path.go was a bare string prefix check. A path that resolves to a sibling directory sharing the root as a name prefix slipped through: with root /Users/me/proj, joining ../proj-evil/x resolves to /Users/me/proj-evil/x, which passes strings.HasPrefix. Every filer (workspace files, DBFS, UC volumes, local) shares these helpers, and bundle init templates write template-author-controlled paths through them.

Changes

Before, a joined path only had to start with the root string; now it must either be exactly the root or extend it past a separator boundary.

  • WorkspaceRootPath.Join and localRootPath.Join compare against the root with a trailing separator and explicitly allow the exact-root result. Joins like ReadDir(".") resolve to exactly the root and keep working.
  • Filers rooted at / (used by the fs commands) keep working: the separator is only appended when the cleaned root does not already end in one. Same for Windows drive roots like C:\.
  • The unrooted local filer (NewLocalRootPath(""), used by fs for local paths) keeps accepting any path.

Test plan

  • Added sibling-prefix escape cases (../path-evil, ../path-evil/x, ../pathx) to libs/filer/workspace_root_path_test.go and libs/filer/local_root_path_test.go (Unix and Windows variants); these fail without the fix
  • Added escape-and-re-enter cases asserting ../path/x still joins under the root
  • Added TestLocalRootPathEmptyRoot covering the unrooted local filer passthrough
  • Existing exact-root cases (Join(""), Join("."), Join("/")) pass unchanged
  • go test ./libs/filer/ passes
  • go test ./libs/template/... ./libs/sync/... (direct consumers of these helpers) passes
  • ./task fmt-q, ./task lint-q, ./task checks pass

This pull request and its description were written by Isaac.

@simonfaltum
Fix prefix-boundary hole in filer root-escape checks
7bc7eb9 
The root containment check in WorkspaceRootPath.Join and
localRootPath.Join used a bare prefix match, so paths resolving to a
sibling directory that shares the root as a string prefix (for example
"/root-evil" for root "/root") passed the check. Require a separator
boundary after the root, keep exact-root joins allowed, and preserve
the unrooted local filer and "/"-rooted filer behavior.

Co-authored-by: Isaac
@simonfaltum simonfaltum temporarily deployed to test-trigger-is June 9, 2026 20:01 — with GitHub Actions Inactive
@simonfaltum simonfaltum temporarily deployed to test-trigger-is June 9, 2026 20:01 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Waiting for approval

Based on git history, these people are best suited to review:

  • @pietern -- recent work in libs/filer/

Eligible reviewers: @Divyansh-db, @chrisst, @hectorcast-db, @mihaimitrea-db, @parthban-db, @rauchy, @renaudhartert-db, @tanmay-db, @tejaskochar-db

Suggestions based on git history. See OWNERS for ownership rules.

@eng-dev-ecosystem-bot

eng-dev-ecosystem-bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Commit: a6edb6a

Run: 27238531422

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 15 261 928 7:57
🔄​ aws windows 4 3 15 263 926 16:01
💚​ aws-ucws linux 7 15 357 842 7:33
💚​ aws-ucws windows 7 15 359 840 11:32
💚​ azure linux 1 17 264 926 6:19
💚​ azure windows 1 17 266 924 12:32
💚​ azure-ucws linux 1 17 362 838 8:11
💚​ azure-ucws windows 1 17 364 836 13:33
💚​ gcp linux 1 17 260 929 8:07
💚​ gcp windows 1 17 262 927 10:20
22 interesting tests: 15 SKIP, 7 KNOWN
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/invariant/no_drift 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 💚​R 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🔄​f 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🔄​f 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 💚​R 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🔄​f 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🔄​f 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/replace_existing 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_endpoints/drift/recreated_same_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/vector_search_indexes/grants/select 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
Top 28 slowest tests (at least 2 minutes):
duration env testname
7:17 azure-ucws windows TestAccept
6:05 azure windows TestAccept
5:03 gcp windows TestAccept
5:00 aws-ucws windows TestAccept
4:44 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:31 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:12 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:59 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:37 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:23 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:21 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:11 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:09 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:04 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:00 gcp linux TestAccept
2:57 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:53 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:51 azure linux TestAccept
2:50 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:50 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:49 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:49 aws-ucws linux TestAccept
2:48 azure-ucws linux TestAccept
2:45 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:42 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:32 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:31 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:22 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@simonfaltum
Remove redundant comments
a6edb6a 
Co-authored-by: Isaac
@simonfaltum simonfaltum temporarily deployed to test-trigger-is June 9, 2026 21:58 — with GitHub Actions Inactive
@simonfaltum simonfaltum temporarily deployed to test-trigger-is June 9, 2026 21:58 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shreyas-goenka shreyas-goenka Awaiting requested review from shreyas-goenka

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simonfaltum @eng-dev-ecosystem-bot