s3tables: Fix parseTableFromARN() namespace and table name validation

- Remove dead URL unescape for namespace (regex [a-z0-9_]+ cannot contain percent-escapes) - Add URL decoding and validation of extracted table name via validateTableName() to prevent callers from bypassing request validation done in other paths
4 days ago · 191a858e72
1 changed files with 11 additions and 7 deletions
--- a/weed/s3api/s3tables/utils.go
+++ b/weed/s3api/s3tables/utils.go
@ -46,18 +46,22 @@ func parseTableFromARN(arn string) (bucketName, namespace, tableName string, err
 		return "", "", "", fmt.Errorf("invalid table ARN: %s", arn)
 	}

-	// URL decode the namespace from the ARN path component
-	namespaceUnescaped, err := url.PathUnescape(matches[2])
+	// Namespace is already constrained by the regex; validate it directly.
+	namespace = matches[2]
+	_, err = validateNamespace([]string{namespace})
 	if err != nil {
-		return "", "", "", fmt.Errorf("invalid namespace encoding in ARN: %v", err)
+		return "", "", "", fmt.Errorf("invalid namespace in ARN: %v", err)
 	}

-	_, err = validateNamespace([]string{namespaceUnescaped})
+	// URL decode and validate the table name from the ARN path component
+	tableNameUnescaped, err := url.PathUnescape(matches[3])
 	if err != nil {
-		return "", "", "", fmt.Errorf("invalid namespace in ARN: %v", err)
+		return "", "", "", fmt.Errorf("invalid table name encoding in ARN: %v", err)
 	}
-
-	return matches[1], namespaceUnescaped, matches[3], nil
+	if _, err := validateTableName(tableNameUnescaped); err != nil {
+		return "", "", "", fmt.Errorf("invalid table name in ARN: %v", err)
+	}
+	return matches[1], namespace, tableNameUnescaped, nil
 }

 // Path helpers