From fb4fb8b082d6134bf544a7d930ea7ae4ff270ecc Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 16:20:49 -0800
Subject: [PATCH] s3tables: Validate bucket name in parseBucketNameFromARN()

Enforce the same bucket name validation rules (length, characters, reserved
prefixes/suffixes) when extracting from ARN. This prevents accepting ARNs
that the system would never create and ensures consistency with
CreateTableBucket validation.
---
 weed/s3api/s3tables/utils.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/weed/s3api/s3tables/utils.go b/weed/s3api/s3tables/utils.go
index 5cf218c13..6fac9bb48 100644
--- a/weed/s3api/s3tables/utils.go
+++ b/weed/s3api/s3tables/utils.go
@@ -30,7 +30,11 @@ func parseBucketNameFromARN(arn string) (string, error) {
 	if len(matches) != 2 {
 		return "", fmt.Errorf("invalid bucket ARN: %s", arn)
 	}
-	return matches[1], nil
+	bucketName := matches[1]
+	if !isValidBucketName(bucketName) {
+		return "", fmt.Errorf("invalid bucket name in ARN: %s", bucketName)
+	}
+	return bucketName, nil
 }
 
 // parseTableFromARN extracts bucket name, namespace, and table name from ARN