TEZ-4699:Add Validation/Canonical checks to avoid path exploitation in CSVResult.java

ramitg254 · ramitg254 · commit 3291c679a72a · 2026-03-30T11:17:49.000+05:30
diff --git a/tez-tools/analyzers/job-analyzer/src/test/java/org/apache/tez/analyzer/TestCSVResult.java b/tez-tools/analyzers/job-analyzer/src/test/java/org/apache/tez/analyzer/TestCSVResult.java
@@ -21,6 +21,7 @@
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.AccessDeniedException;
 import java.nio.file.FileAlreadyExistsException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -29,25 +30,19 @@
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
-/**
- * Unit tests for {@link CSVResult#dumpToFile(String)} (validation and atomic create).
- */
+
 public class TestCSVResult {
 
   @Rule
   public TemporaryFolder tmpDir = new TemporaryFolder();
-  private static final Logger LOG = LoggerFactory.getLogger(TestCSVResult.class);
 
   @Test
   public void testDumpToFileWritesContent() throws Exception {
     Path out = tmpDir.newFolder().toPath().resolve("out.csv");
     CSVResult result = new CSVResult(new String[] { "h1", "h2" });
     result.addRecord(new String[] { "a", "b" });
     result.dumpToFile(out.toString());
-    LOG.info("output file path is : {}", out.getFileName() );
     String content = new String(Files.readAllBytes(out), StandardCharsets.UTF_8);
     Assert.assertEquals("h1,h2\na,b\n", content);
   }
@@ -60,7 +55,7 @@ public void testDumpToFileRejectsExistingFile() throws Exception {
        result.dumpToFile(out.toString());
        Assert.fail("Expected FileAlreadyExistsException when output file already exists");
      } catch (FileAlreadyExistsException e) {
-       // CREATE_NEW must fail if path already exists (atomic exclusive create)
+       Assert.assertTrue("expected File Already Exist Exception",e.getMessage().contains(out.toString()));
      }
    }
 
@@ -103,4 +98,25 @@ public void testDumpToFileNestedDirectory() throws Exception {
      result.dumpToFile(out.toString());
      Assert.assertEquals("h\nr\n", new String(Files.readAllBytes(out), StandardCharsets.UTF_8));
    }
+
+  @Test
+  public void testDumpToFileNoWritePermissionRelativePath() throws Exception {
+    Path dir = tmpDir.newFolder("noWriteDir").toPath();
+    dir.toFile().setWritable(false);
+    Path out = dir.resolve("out.csv");
+    String relativePath = dir + "/../noWriteDir/out.csv";
+    CSVResult result = new CSVResult(new String[] { "h" });
+
+    try {
+      result.dumpToFile(relativePath);
+      Assert.fail("Expected AccessDeniedException due to no write permission");
+    } catch (AccessDeniedException e) {
+      Assert.assertTrue(
+          "Expected permission related error",
+          e.getMessage().contains(out.toString())
+      );
+    } finally {
+      dir.toFile().setWritable(true);
+    }
+  }
 }
