TEZ-4659: Refactoring minor issues in profile output servlet (#439). (Ayush Saxena, reviewed by Laszlo Bodor)

commit: 5775337a5be3993d1aeb9b4c39134fe96c9b39f2 [log] [tgz]
author: Ayush Saxena <ayushsaxena@apache.org> Fri Oct 31 17:23:24 2025 +0530
committer: GitHub <noreply@github.com> Fri Oct 31 17:23:24 2025 +0530
tree: 147b90d5e5ed838deb6b3777f56e6235bcb668b1
parent: 2489b911889a1f931a67b6e56e7b4f06e3d17022 [diff]
diff --git a/tez-common/src/main/java/org/apache/tez/common/web/ProfileOutputServlet.java b/tez-common/src/main/java/org/apache/tez/common/web/ProfileOutputServlet.java
index b95d878..e1b9d2f 100644
--- a/tez-common/src/main/java/org/apache/tez/common/web/ProfileOutputServlet.java
+++ b/tez-common/src/main/java/org/apache/tez/common/web/ProfileOutputServlet.java

@@ -21,6 +21,7 @@
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 
 import javax.servlet.ServletException;
@@ -43,7 +44,16 @@
       writeMessage(response, "Run the profiler to be able to receive its output");
       return;
     }
-    File outputFile = new File(ProfileServlet.OUTPUT_DIR, queriedFile);
+    Path outputDir = Paths.get(ProfileServlet.OUTPUT_DIR).toAbsolutePath().normalize();
+    Path requestedPath = outputDir.resolve(queriedFile).normalize();
+
+    if (!requestedPath.startsWith(outputDir)) {
+      response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+      writeMessage(response, "Access denied: Invalid Path");
+      return;
+    }
+    File outputFile = requestedPath.toFile();
+
     if (!outputFile.exists()) {
       writeMessage(response, "Requested file does not exist: " + queriedFile);
       return;

diff --git a/tez-tests/src/test/java/org/apache/tez/test/TestAM.java b/tez-tests/src/test/java/org/apache/tez/test/TestAM.java
index 3338deb..adfe18a 100644
--- a/tez-tests/src/test/java/org/apache/tez/test/TestAM.java
+++ b/tez-tests/src/test/java/org/apache/tez/test/TestAM.java

@@ -17,6 +17,7 @@
  */
 package org.apache.tez.test;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
@@ -25,6 +26,8 @@
 import java.net.HttpURLConnection;
 import java.net.URL;
 
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.conf.Configuration.IntegerRanges;
 import org.apache.hadoop.fs.FileSystem;
@@ -133,6 +136,12 @@
     checkAddress(webUIAddress + "/prof", 202);
     checkAddress(webUIAddress + "/prof-output");
 
+    HttpURLConnection connection =
+        (HttpURLConnection) new URL(webUIAddress + "/prof-output?file=../etc/web").openConnection();
+    connection.connect();
+    assertEquals(HttpServletResponse.SC_FORBIDDEN, connection.getResponseCode());
+    assertTrue(new String(connection.getErrorStream().readAllBytes()).contains("Access denied: Invalid Path"));
+
     URL url = new URL(webUIAddress);
     IntegerRanges portRange = conf.getRange(TezConfiguration.TEZ_AM_WEBSERVICE_PORT_RANGE,
         TezConfiguration.TEZ_AM_WEBSERVICE_PORT_RANGE_DEFAULT);
commit	5775337a5be3993d1aeb9b4c39134fe96c9b39f2	[log] [tgz]
author	Ayush Saxena <ayushsaxena@apache.org>	Fri Oct 31 17:23:24 2025 +0530
committer	GitHub <noreply@github.com>	Fri Oct 31 17:23:24 2025 +0530
tree	147b90d5e5ed838deb6b3777f56e6235bcb668b1
parent	2489b911889a1f931a67b6e56e7b4f06e3d17022 [diff]