apache/iceberg

`remove_orphan_files` scopes `file_list_view` with raw string prefix matching

Open

#16,493 创建于 2026年5月20日

在 GitHub 查看
 (4 评论) (0 反应) (0 负责人)Java (5,146 star) (1,915 fork)batch import
buggood first issue

描述

This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution.

Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them.

Summary

Spark scopes file_list_view with raw string prefix matching, letting sibling paths fall inside orphan cleanup.

Affected Maven coordinates

  • versioned integration artifacts: org.apache.iceberg:iceberg-spark-3.4_*, org.apache.iceberg:iceberg-spark-3.5_*, org.apache.iceberg:iceberg-spark-4.0_2.13, org.apache.iceberg:iceberg-spark-4.1_2.13

Attacker prerequisites

  • control over a path, prefix, batch, or file list that sits adjacent to a legitimately scoped prefix
  • ability to trigger the credential-selection or cleanup path with that crafted input

Impact

  • A table location like s3://bucket/table also matches sibling prefixes such as s3://bucket/table-backup/....
  • If the caller supplies a crafted file_list_view, files outside the intended directory can be treated as in-scope and deleted.
  • This weakens scope checks even when the explicit location override is not used.

Proof status

Source review only. The issue is visible directly from source.

Key source references

  • org.apache.iceberg.spark.actions.DeleteOrphanFilesSparkAction

贡献者指南

技术栈
javaspark
领域
backendsecurity
议题类型
bug
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
4
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-2 days
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
active
清晰度议题是否清楚说明期望改动、验收标准和下一步。
mostly clear
前置要求
Familiarity with Apache IcebergUnderstanding of Spark actionsKnowledge of S3 path semantics
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
10
研究方向
The issue is in `org.apache.iceberg.spark.actions.DeleteOrphanFilesSparkAction`, where `file list view` is scoped using raw string prefix matching, allowing sibling paths like `s3://bucket/table backup` to be matched incorrectly. To fix, implement proper path prefix checking (e.g., ensuring trailing slash or using a dedicated path matcher). Review the linked source and consider adding unit tests for edge cases with adjacent prefixes. No maintainer clarification needed as the vulnerability is well described.
`remove_orphan_files` scopes `file_list_view` with raw string prefix matching · apache/iceberg#16493 | Good First Issue