From ae19621230f59a6321ae8ae5d26e674091bad1bf Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 12:09:09 -0800
Subject: [PATCH] S3 Tables: validate ARN namespace to prevent path traversal

- Enforce validation on decoded namespace in parseTableFromARN.
- Ensures path components are safe after URL unescaping.
---
 weed/s3api/s3tables/utils.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/weed/s3api/s3tables/utils.go b/weed/s3api/s3tables/utils.go
index 12b180c6d..ccbe31fee 100644
--- a/weed/s3api/s3tables/utils.go
+++ b/weed/s3api/s3tables/utils.go
@@ -43,6 +43,11 @@ func parseTableFromARN(arn string) (bucketName, namespace, tableName string, err
 		return "", "", "", fmt.Errorf("invalid namespace encoding in ARN: %v", err)
 	}
 
+	_, err = validateNamespace([]string{namespaceUnescaped})
+	if err != nil {
+		return "", "", "", fmt.Errorf("invalid namespace in ARN: %v", err)
+	}
+
 	return matches[1], namespaceUnescaped, matches[3], nil
 }