From 801ff1c38a433635280f565177fe08870433c2b3 Mon Sep 17 00:00:00 2001
From: Alexey Milovidov <milovidov@clickhouse.com>
Date: Sat, 21 Mar 2026 22:04:28 +0100
Subject: [PATCH] Merge pull request #100283 from
 ClickHouse/fix-iceberg-null-byte-in-path

Validate Iceberg metadata file path for null bytes
---
 src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp        | 2 ++
 .../test_metadata_file_path_security.py                       | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp b/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp
index 6f79801514e6..9fccedda4dff 100644
--- a/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp
+++ b/src/Storages/ObjectStorage/DataLakes/Iceberg/Utils.cpp
@@ -1158,6 +1158,8 @@ MetadataFileWithInfo getLatestOrExplicitMetadataFileAndVersion(
     if (data_lake_settings[DataLakeStorageSetting::iceberg_metadata_file_path].changed)
     {
         auto explicit_metadata_path = data_lake_settings[DataLakeStorageSetting::iceberg_metadata_file_path].value;
+        if (explicit_metadata_path.find('\0') != String::npos)
+            throw Exception(ErrorCodes::BAD_ARGUMENTS, "Iceberg metadata file path contains a null byte");
         LOG_TEST(log, "Explicit metadata file path is specified {}, will read from this metadata file", explicit_metadata_path);
         std::filesystem::path p(explicit_metadata_path);
         auto it = p.begin();
diff --git a/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py b/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py
index 15a2b5c92ca6..32d6c34e8071 100644
--- a/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py
+++ b/tests/integration/test_storage_iceberg_with_spark/test_metadata_file_path_security.py
@@ -50,7 +50,7 @@ def test_metadata_file_path_security(started_cluster_iceberg_with_spark):
         )
 
     # Test 2: Null byte injection should be rejected
-    with pytest.raises(Exception, match = "ICEBERG_SPECIFICATION_VIOLATION"):
+    with pytest.raises(Exception, match = "BAD_ARGUMENTS"):
         create_iceberg_table(
             "local",
             instance,
@@ -60,7 +60,7 @@ def test_metadata_file_path_security(started_cluster_iceberg_with_spark):
         )
 
     # Test 3: Null byte in middle of path should be rejected
-    with pytest.raises(Exception, match = "PATH_ACCESS_DENIED"):
+    with pytest.raises(Exception, match = "BAD_ARGUMENTS"):
         create_iceberg_table(
             "local",
             instance,