refactor: extract confined_join by erickguan · Pull Request #7712 · apache/opendal

erickguan · 2026-06-09T02:57:59Z

Which issue does this PR close?

Complement to #7702. Merge after #7702

Rationale for this change

Better code cohesion and documentation.

What changes are included in this PR?

extraction of confined_join

Are there any user-facing changes?

None

AI Usage Statement

No

tonghuaroot

confined_join rejects .. traversal but does not guard against absolute paths. On Unix, PathBuf::join with an absolute argument replaces the base entirely:

let base = Path::new("/data/root");
assert_eq!(base.join("/etc/passwd"), Path::new("/etc/passwd")); // escapes root

I know normalize_path strips the leading / before keys reach the backend, but since confined_join is now a public API in core, it would be safer to also reject Component::RootDir (and Component::Prefix on Windows) so the function is self-contained and doesn't rely on callers to sanitize input.

erickguan · 2026-06-10T15:12:44Z

@tonghuaroot Good point! Anything in core/src/raw are private APIs subject to our changes. We apply normalize_path in Operator before a service sees the path. But I can see confined_join rather confusing for service maintainers.

From OpenDAL users perspective, trying something with "/etc/passwd" should never work when root is /root:

let op = Operator::new("fs", "/root")?.finish(); # pesudo code
op.read("/etc/passwd").await?; # We don't have access to this file.

normalize_path strips the leading / before keys reach the backend

normalize_path has a corner case which will return "/" when path is empty. This will also break the confined_join as you pointed out PathBuf::join will replace path with an absolute path. So a safer choice would be to reject absolute path except "/".

    let trimmed = path.trim_end_matches('/');
    if trimmed == "" {
        return Ok(base)
    }
    if Path::new(trimmed)
        .components()
        .any(|c| matches!(c, Component::ParentDir))
    {
        return Err(Error::new(
            ErrorKind::NotFound,
            "path escapes the configured root via `..`",
        )
        .with_context("path", path));
    }
    Ok(base.join(normalized))
}

Another problem is that we are losing information from this API. e.g. when we have a path dir/, our function strips the information. I believe some services rely on the trailing / so this is still not of satisfactory.

erickguan requested a review from Xuanwo as a code owner June 9, 2026 02:57

dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. releases-note/refactor The PR does a refactor on code or has a title that begins with "refactor" labels Jun 9, 2026

erickguan mentioned this pull request Jun 9, 2026

fix(services): confine compfs/monoiofs object keys to root by rejecting parent-dir traversal #7702

Merged

Use confined_join and root_join across services

5230cd2

tonghuaroot reviewed Jun 10, 2026

View reviewed changes

erickguan force-pushed the fix/confine-compfs-monoiofs-root branch from 3b7a7f4 to 5230cd2 Compare June 10, 2026 14:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor: extract confined_join#7712

refactor: extract confined_join#7712
erickguan wants to merge 1 commit into
mainfrom
fix/confine-compfs-monoiofs-root

erickguan commented Jun 9, 2026

Uh oh!

tonghuaroot left a comment

Uh oh!

erickguan commented Jun 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

erickguan commented Jun 9, 2026

Which issue does this PR close?

Rationale for this change

What changes are included in this PR?

Are there any user-facing changes?

AI Usage Statement

Uh oh!

tonghuaroot left a comment

Choose a reason for hiding this comment

Uh oh!

erickguan commented Jun 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants