diff --git a/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp b/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp index 6f79801514e6..9fccedda4dff 100644 --- a/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp +++ b/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp @@ -1158,6 +1158,8 @@ MetadataFileWithInfo getLatestOrExplicitMetadataFileAndVersion( if (data_lake_settings[DataLakeStorageSetting::iceberg_metadata_file_path].changed) { auto explicit_metadata_path = data_lake_settings[DataLakeStorageSetting::iceberg_metadata_file_path].value; + if (explicit_metadata_path.find('\0') != String::npos) + throw Exception(ErrorCodes::BAD_ARGUMENTS, "Iceberg metadata file path contains a null byte"); LOG_TEST(log, "Explicit metadata file path is specified {}, will read from this metadata file", explicit_metadata_path); std::filesystem::path p(explicit_metadata_path); auto it = p.begin(); diff --git a/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py b/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py index 15a2b5c92ca6..32d6c34e8071 100644 --- a/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py +++ b/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py @@ -50,7 +50,7 @@ def test_metadata_file_path_security(started_cluster_iceberg_with_spark): ) # Test 2: Null byte injection should be rejected - with pytest.raises(Exception, match = "ICEBERG_SPECIFICATION_VIOLATION"): + with pytest.raises(Exception, match = "BAD_ARGUMENTS"): create_iceberg_table( "local", instance, @@ -60,7 +60,7 @@ def test_metadata_file_path_security(started_cluster_iceberg_with_spark): ) # Test 3: Null byte in middle of path should be rejected - with pytest.raises(Exception, match = "PATH_ACCESS_DENIED"): + with pytest.raises(Exception, match = "BAD_ARGUMENTS"): create_iceberg_table( "local", instance,