[fix][sec] Prevent path traversal in PackageName toRestPath (apache#25628)

Author: Praveenkumar76

pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/common/PackageName.java

@@ -18,11 +18,13 @@
  */
 package org.apache.pulsar.packages.management.core.common;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.cache.CacheBuilder;
 import com.google.common.cache.CacheLoader;
 import com.google.common.cache.LoadingCache;
+import com.google.common.net.UrlEscapers;
 import java.util.List;
 import java.util.Objects;
 import java.util.concurrent.ExecutionException;
@@ -107,6 +109,18 @@ private PackageName(String packageName) {
             String.format("%s://%s/%s/%s@%s", type.toString(), tenant, namespace, name, version);
     }
 
+    @VisibleForTesting
+    PackageName(PackageType type, String tenant, String namespace, String name, String version) {
+        this.type = type;
+        this.tenant = tenant;
+        this.namespace = namespace;
+        this.name = name;
+        this.version = version;
+        this.completeName = String.format("%s/%s/%s", tenant, namespace, name);
+        this.completePackageName =
+                String.format("%s://%s/%s/%s@%s", type.toString(), tenant, namespace, name, version);
+    }
+
     public PackageType getPkgType() {
         return this.type;
     }
@@ -136,7 +150,14 @@ public String toString() {
     }
 
     public String toRestPath() {
-        return String.format("%s/%s/%s/%s/%s", type, tenant, namespace, name, version);
+        // Use Guava's URL path segment escaper to safely encode each segment and prevent path traversal (CWE-22).
+        var escaper = UrlEscapers.urlPathSegmentEscaper();
+        return String.format("%s/%s/%s/%s/%s",
+                type.toString(),
+                escaper.escape(tenant),
+                escaper.escape(namespace),
+                escaper.escape(name),
+                escaper.escape(version));
     }
 
     @Override

pulsar-package-management/core/src/test/java/org/apache/pulsar/packages/management/core/common/PackageNameTest.java

@@ -116,4 +116,27 @@ public void testPackageNameErrors() {
         PackageName name = PackageName.get("function://public/default/test");
         Assert.assertEquals("function://public/default/test@latest", name.toString());
     }
+
+    @Test
+    public void testPathTraversalBypassConstructor() throws Exception {
+        // Use the package-private constructor annotated with @VisibleForTesting
+        // to inject a traversal payload directly, bypassing normal Splitter validation.
+        PackageName packageName = new PackageName(
+                PackageType.FUNCTION,
+                "tenant-a/../../system-tenant",
+                "ns",
+                "name",
+                "v1"
+        );
+
+        // Verify that path separators in package components are percent-encoded in the generated REST path.
+        String expectedSafePath = "function/tenant-a%2F..%2F..%2Fsystem-tenant/ns/name/v1";
+
+        // Invoke the method under test
+        String actualPath = packageName.toRestPath();
+
+        // This assertion verifies that traversal characters are encoded rather than emitted as raw slashes.
+        Assert.assertEquals(actualPath, expectedSafePath,
+                "The toRestPath method must encode path traversal characters in package components.");
+    }
 }