TEZ-4699:Add Validation/Canonical checks to avoid path exploitation in CSVResult.java

[ramitg254]

validated using following command on cluster:

HADOOP_CLASSPATH="$(hadoop classpath --glob):/opt/cloudera/parcels/CDH-7.3.2-1.cdh7.3.2.p0.76957083/lib/tez/bin/*" hadoop jar /opt/cloudera/parcels/CDH-7.3.2-1.cdh7.3.2.p0.76957083/lib/tez/bin/tez-job-analyzer-0.9.1.7.3.2.0-952.jar DagOverviewAnalyzer --dagId=dag_1774423971588_0004_1 --eventFileName=/warehouse/tablespace/managed/hive/sys.db/dag_data/date=2026-03-26/dag_1774423971588_0004_1_1 --fromProtoHistory --outputDir=./analyzer_results --saveResults

[abstractdog]

thanks @ramitg254 for this patch, can you please elaborate on how the patch solved this problem? before/after behaviour would be nice to see

[tez-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	5m 43s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ master Compile Tests _
+1 💚	mvninstall	6m 7s		master passed
+1 💚	compile	0m 21s		master passed
+1 💚	checkstyle	0m 37s		master passed
+1 💚	javadoc	0m 23s		master passed
+0 🆗	spotbugs	0m 39s		tez-tools/analyzers/job-analyzer in master has 20 extant spotbugs warnings.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 15s		the patch passed
+1 💚	codespell	0m 28s		No new issues.
+1 💚	compile	0m 14s		the patch passed
+1 💚	javac	0m 14s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 7s		tez-tools/analyzers/job-analyzer: The patch generated 0 new + 1 unchanged - 2 fixed = 1 total (was 3)
+1 💚	javadoc	0m 8s		the patch passed
+1 💚	spotbugs	0m 32s		the patch passed
			_ Other Tests _
+1 💚	unit	2m 15s		job-analyzer in the patch passed.
+1 💚	asflicense	0m 8s		The patch does not generate ASF License warnings.
		18m 47s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/1/artifact/out/Dockerfile
GITHUB PR	#471
Optional Tests	dupname asflicense javac javadoc unit spotbugs checkstyle codespell detsecrets compile
uname	Linux d6a1703388c6 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	/home/jenkins/jenkins-home/workspace/tez-multibranch_PR-471/src/.yetus/personality.sh
git revision	master / 49afaf2
Default Java	Ubuntu-21.0.10+7-Ubuntu-124.04
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/1/testReport/
Max. process+thread count	841 (vs. ulimit of 5500)
modules	C: tez-tools/analyzers/job-analyzer U: tez-tools/analyzers/job-analyzer
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/1/console
versions	git=2.43.0 maven=3.8.7 spotbugs=4.9.3 codespell=2.4.1
Powered by	Apache Yetus 0.15.1 https://yetus.apache.org

This message was automatically generated.

[ramitg254]

sure @abstractdog
the before and after behaviour looks something like this:
let's say we shouldn't allow to overwrite a file by providing the corresponding fileName since it is used by fileNames mostly using dagId which will be different for different dags and since this method is public and can be exploitable for file corruption.

before:

after:

similarly the other preventive check ensures the output directory should exist:

before:
shows ls and success of command even after directory doesn't exist:

after:
shows ls and exception since directory doesn't exist:

in the similar fashion other preventive checks works before opening stream for file writes as well

[tez-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 11s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ master Compile Tests _
+1 💚	mvninstall	4m 36s		master passed
+1 💚	compile	0m 24s		master passed
+1 💚	checkstyle	0m 27s		master passed
+1 💚	javadoc	0m 21s		master passed
+0 🆗	spotbugs	0m 39s		tez-tools/analyzers/job-analyzer in master has 20 extant spotbugs warnings.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 15s		the patch passed
+1 💚	codespell	0m 29s		No new issues.
+1 💚	compile	0m 14s		the patch passed
+1 💚	javac	0m 14s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 7s		tez-tools/analyzers/job-analyzer: The patch generated 0 new + 1 unchanged - 2 fixed = 1 total (was 3)
+1 💚	javadoc	0m 8s		the patch passed
+1 💚	spotbugs	0m 32s		the patch passed
			_ Other Tests _
+1 💚	unit	2m 18s		job-analyzer in the patch passed.
+1 💚	asflicense	0m 8s		The patch does not generate ASF License warnings.
		11m 33s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/2/artifact/out/Dockerfile
GITHUB PR	#471
Optional Tests	dupname asflicense javac javadoc unit spotbugs checkstyle codespell detsecrets compile
uname	Linux a0212ecf7353 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	/home/jenkins/jenkins-home/workspace/tez-multibranch_PR-471/src/.yetus/personality.sh
git revision	master / 09d348b
Default Java	Ubuntu-21.0.10+7-Ubuntu-124.04
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/2/testReport/
Max. process+thread count	850 (vs. ulimit of 5500)
modules	C: tez-tools/analyzers/job-analyzer U: tez-tools/analyzers/job-analyzer
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/2/console
versions	git=2.43.0 maven=3.8.7 spotbugs=4.9.3 codespell=2.4.1
Powered by	Apache Yetus 0.15.1 https://yetus.apache.org

This message was automatically generated.

[tez-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 11s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ master Compile Tests _
-1 ❌	mvninstall	0m 18s	/branch-mvninstall-root.txt	root in master failed.
-1 ❌	compile	0m 18s	/branch-compile-tez-tools_analyzers_job-analyzer.txt	job-analyzer in master failed.
-0 ⚠️	checkstyle	0m 17s	/buildtool-branch-checkstyle-tez-tools_analyzers_job-analyzer.txt	The patch fails to run checkstyle in job-analyzer
-1 ❌	javadoc	0m 18s	/branch-javadoc-tez-tools_analyzers_job-analyzer.txt	job-analyzer in master failed.
-1 ❌	spotbugs	0m 18s	/branch-spotbugs-tez-tools_analyzers_job-analyzer.txt	job-analyzer in master failed.
			_ Patch Compile Tests _
-1 ❌	mvninstall	0m 18s	/patch-mvninstall-tez-tools_analyzers_job-analyzer.txt	job-analyzer in the patch failed.
+1 💚	codespell	0m 6s		No new issues.
-1 ❌	compile	0m 18s	/patch-compile-tez-tools_analyzers_job-analyzer.txt	job-analyzer in the patch failed.
-1 ❌	javac	0m 18s	/patch-compile-tez-tools_analyzers_job-analyzer.txt	job-analyzer in the patch failed.
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	0m 11s	/buildtool-patch-checkstyle-tez-tools_analyzers_job-analyzer.txt	The patch fails to run checkstyle in job-analyzer
-1 ❌	javadoc	0m 18s	/patch-javadoc-tez-tools_analyzers_job-analyzer.txt	job-analyzer in the patch failed.
-1 ❌	spotbugs	0m 18s	/patch-spotbugs-tez-tools_analyzers_job-analyzer.txt	job-analyzer in the patch failed.
			_ Other Tests _
-1 ❌	unit	0m 18s	/patch-unit-tez-tools_analyzers_job-analyzer.txt	job-analyzer in the patch failed.
+0 🆗	asflicense	0m 18s		ASF License check generated no output?
		4m 17s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/3/artifact/out/Dockerfile
GITHUB PR	#471
Optional Tests	dupname asflicense javac javadoc unit spotbugs checkstyle codespell detsecrets compile
uname	Linux 646b04eb057e 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	/home/jenkins/jenkins-home/workspace/tez-multibranch_PR-471/src/.yetus/personality.sh
git revision	master / 34b7c20
Default Java	Ubuntu-21.0.10+7-Ubuntu-124.04
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/3/testReport/
Max. process+thread count	49 (vs. ulimit of 5500)
modules	C: tez-tools/analyzers/job-analyzer U: tez-tools/analyzers/job-analyzer
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/3/console
versions	git=2.43.0 maven=3.8.7 codespell=2.4.1
Powered by	Apache Yetus 0.15.1 https://yetus.apache.org

This message was automatically generated.

[abstractdog]

Should we check this separately? If the directory isn’t writable by the user, the write will fail anyway, right?

[ramitg254]

this was added for more descriptive exception, but it can be dropped as AccessDeniedException will take care of it. done.

[abstractdog]

nit class formatting: private method ideally goes below the public one

[ramitg254]

done

[abstractdog]

the corresponding code is too obvious, we don't need this comment

[ramitg254]

done

[abstractdog]

the corresponding code is too obvious, we don't need this comment

[ramitg254]

done

[abstractdog]

the corresponding code is too obvious, we don't need this comment

[ramitg254]

done

[abstractdog]

this comment doesn't add more value then looking at the javadoc of Files.newOutputStream, we can remove it I think

[ramitg254]

done

[abstractdog]

thanks @ramitg254, left minor comments
also, can you please add simple unit test cases for what you implemented in validateOutputFile?

[abstractdog]

thanks @ramitg254, left minor comments also, can you please add simple unit test cases for what you implemented in validateOutputFile?

1 more thing to check: I think a path like ../newfile should also not work, because it would let users to write to places where they are not supposed to

[ramitg254]

thanks @ramitg254, left minor comments also, can you please add simple unit test cases for what you implemented in validateOutputFile?

done added

[ramitg254]

1 more thing to check: I think a path like ../newfile should also not work, because it would let users to write to places where they are not supposed to

I think it will be fine as it will be resolved to valid path by getCanonicalFile() before checks are run on it

[abstractdog]

add an extra assertion here for clarity on exception message

[ramitg254]

done

[abstractdog]

1 more thing to check: I think a path like ../newfile should also not work, because it would let users to write to places where they are not supposed to

I think it will be fine as it will be resolved to valid path by getCanonicalFile() before checks are run on it

yeah, it might be the case, but it should be validated with a unit test case also

[ramitg254]

1 more thing to check: I think a path like ../newfile should also not work, because it would let users to write to places where they are not supposed to

I think it will be fine as it will be resolved to valid path by getCanonicalFile() before checks are run on it

yeah, it might be the case, but it should be validated with a unit test case also

done added

[tez-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 10s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ master Compile Tests _
+1 💚	mvninstall	4m 47s		master passed
+1 💚	compile	0m 22s		master passed
+1 💚	checkstyle	0m 25s		master passed
+1 💚	javadoc	0m 19s		master passed
+0 🆗	spotbugs	0m 41s		tez-tools/analyzers/job-analyzer in master has 20 extant spotbugs warnings.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 16s		the patch passed
+1 💚	codespell	0m 32s		No new issues.
+1 💚	compile	0m 13s		the patch passed
+1 💚	javac	0m 13s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 6s		tez-tools/analyzers/job-analyzer: The patch generated 0 new + 0 unchanged - 2 fixed = 0 total (was 2)
+1 💚	javadoc	0m 8s		the patch passed
+1 💚	spotbugs	0m 32s		the patch passed
			_ Other Tests _
+1 💚	unit	2m 16s		job-analyzer in the patch passed.
+1 💚	asflicense	0m 7s		The patch does not generate ASF License warnings.
		11m 44s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/8/artifact/out/Dockerfile
GITHUB PR	#471
Optional Tests	dupname asflicense javac javadoc unit spotbugs checkstyle codespell detsecrets compile
uname	Linux 84b795afff82 5.15.0-171-generic #181-Ubuntu SMP Fri Feb 6 22:44:50 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	/home/jenkins/jenkins-home/workspace/tez-multibranch_PR-471@2/src/.yetus/personality.sh
git revision	master / 74eb026
Default Java	Ubuntu-21.0.10+7-Ubuntu-124.04
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/8/testReport/
Max. process+thread count	847 (vs. ulimit of 5500)
modules	C: tez-tools/analyzers/job-analyzer U: tez-tools/analyzers/job-analyzer
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/8/console
versions	git=2.43.0 maven=3.8.7 spotbugs=4.9.3 codespell=2.4.1
Powered by	Apache Yetus 0.15.1 https://yetus.apache.org

This message was automatically generated.

[abstractdog]

I think this unit test mixes 2 different scenarios, which should be thought of separately:

1. whether the user is able to define relative paths with ..
2. whether the user can write to a folder without permissions

2) is clear, and I'm not even insisting on having a test case on that, because it's testing permission handling instead of any of the actual logic you just implemented, right? no matter how you implement validateOutputFile, this is going to pass always, so it doesn't add much value

regarding 1), it's more of a decision whether we want the user to be able to move upwards in the directory structure from the current working dir: I guess it's fine to completely disable that, like we did in TEZ-4659

[ramitg254]

done added like if with use paths like ../ moves upward from the pwd from which process was launched it should throw IO exception

[tez-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 10s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ master Compile Tests _
+1 💚	mvninstall	4m 50s		master passed
+1 💚	compile	0m 21s		master passed
+1 💚	checkstyle	0m 23s		master passed
+1 💚	javadoc	0m 19s		master passed
+0 🆗	spotbugs	0m 37s		tez-tools/analyzers/job-analyzer in master has 20 extant spotbugs warnings.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 17s		the patch passed
+1 💚	codespell	0m 38s		No new issues.
+1 💚	compile	0m 15s		the patch passed
+1 💚	javac	0m 15s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 8s		tez-tools/analyzers/job-analyzer: The patch generated 0 new + 0 unchanged - 2 fixed = 0 total (was 2)
+1 💚	javadoc	0m 8s		the patch passed
+1 💚	spotbugs	0m 35s		the patch passed
			_ Other Tests _
+1 💚	unit	2m 14s		job-analyzer in the patch passed.
+1 💚	asflicense	0m 7s		The patch does not generate ASF License warnings.
		11m 52s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/9/artifact/out/Dockerfile
GITHUB PR	#471
Optional Tests	dupname asflicense javac javadoc unit spotbugs checkstyle codespell detsecrets compile
uname	Linux 0a6193936eae 5.15.0-171-generic #181-Ubuntu SMP Fri Feb 6 22:44:50 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	/home/jenkins/jenkins-home/workspace/tez-multibranch_PR-471/src/.yetus/personality.sh
git revision	master / 5973065
Default Java	Ubuntu-21.0.10+7-Ubuntu-124.04
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/9/testReport/
Max. process+thread count	856 (vs. ulimit of 5500)
modules	C: tez-tools/analyzers/job-analyzer U: tez-tools/analyzers/job-analyzer
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/9/console
versions	git=2.43.0 maven=3.8.7 spotbugs=4.9.3 codespell=2.4.1
Powered by	Apache Yetus 0.15.1 https://yetus.apache.org

This message was automatically generated.

[tez-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	14m 50s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ master Compile Tests _
+1 💚	mvninstall	6m 52s		master passed
+1 💚	compile	0m 34s		master passed
+1 💚	checkstyle	0m 33s		master passed
+1 💚	javadoc	0m 26s		master passed
+0 🆗	spotbugs	0m 55s		tez-tools/analyzers/job-analyzer in master has 20 extant spotbugs warnings.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 22s		the patch passed
+1 💚	codespell	0m 58s		No new issues.
+1 💚	compile	0m 20s		the patch passed
+1 💚	javac	0m 20s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	0m 11s		tez-tools/analyzers/job-analyzer: The patch generated 0 new + 1 unchanged - 2 fixed = 1 total (was 3)
+1 💚	javadoc	0m 10s		the patch passed
+1 💚	spotbugs	0m 51s		the patch passed
			_ Other Tests _
+1 💚	unit	2m 37s		job-analyzer in the patch passed.
+1 💚	asflicense	0m 9s		The patch does not generate ASF License warnings.
		31m 2s

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/10/artifact/out/Dockerfile
GITHUB PR	#471
Optional Tests	dupname asflicense javac javadoc unit spotbugs checkstyle codespell detsecrets compile
uname	Linux edcc7737ccca 5.15.0-173-generic #183-Ubuntu SMP Fri Mar 6 13:29:34 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	/home/jenkins/jenkins-home/workspace/tez-multibranch_PR-471/src/.yetus/personality.sh
git revision	master / ff57529
Default Java	Ubuntu-21.0.10+7-Ubuntu-124.04
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/10/testReport/
Max. process+thread count	801 (vs. ulimit of 5500)
modules	C: tez-tools/analyzers/job-analyzer U: tez-tools/analyzers/job-analyzer
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-471/10/console
versions	git=2.43.0 maven=3.8.7 spotbugs=4.9.3 codespell=2.4.1
Powered by	Apache Yetus 0.15.1 https://yetus.apache.org

This message was automatically generated.

[abstractdog]

+1