From c98886a9e26afa67b3d01bdcb87b0168d764859c Mon Sep 17 00:00:00 2001
From: cuiruibin <cuiruibin3@h-partners.com>
Date: Mon, 11 Aug 2025 14:41:26 +0800
Subject: [PATCH] =?UTF-8?q?AFS=E8=B7=AF=E5=BE=84=E6=A0=A1=E9=AA=8C?=
 =?UTF-8?q?=E5=8A=A0=E5=9B=BA=20Signed-off-by:=20cuiruibin=20<cuiruibin3@h?=
 =?UTF-8?q?-partners.com>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 interfaces/common/src/sandbox_helper.cpp      |  4 +++
 .../file_share_native/file_share_test.cpp     | 29 +++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/interfaces/common/src/sandbox_helper.cpp b/interfaces/common/src/sandbox_helper.cpp
index d0a2e6f55..221df95e1 100644
--- a/interfaces/common/src/sandbox_helper.cpp
+++ b/interfaces/common/src/sandbox_helper.cpp
@@ -518,6 +518,10 @@ int32_t SandboxHelper::GetBackupPhysicalPath(const std::string &fileUri, const s
 
 bool SandboxHelper::IsValidPath(const std::string &filePath)
 {
+    if (std::any_of(filePath.begin(), filePath.end(), [](char c) { return c == '\0'; })) {
+        LOGE("Relative path is not allowed, path contains a truncation character");
+        return false;
+    }
     size_t pos = filePath.find(PATH_INVALID_FLAG1);
     while (pos != string::npos) {
         if (pos == 0 || filePath[pos - 1] == BACKSLASH) {
diff --git a/test/unittest/file_share_native/file_share_test.cpp b/test/unittest/file_share_native/file_share_test.cpp
index 8b05e4b54..e5d3990e8 100644
--- a/test/unittest/file_share_native/file_share_test.cpp
+++ b/test/unittest/file_share_native/file_share_test.cpp
@@ -581,6 +581,35 @@ HWTEST_F(FileShareTest, File_share_IsValidPath_0002, testing::ext::TestSize.Leve
     GTEST_LOG_(INFO) << "FileShareTest-end File_share_IsValidPath_0002";
 }
 
+/**
+ * @tc.name: File_share_IsValidPath_0003
+ * @tc.desc: Test function of CheckValidPath() interface for FAILURE.
+ * @tc.size: MEDIUM
+ * @tc.type: FUNC
+ * @tc.level Level 1
+ * @tc.require: I7PDZL
+ */
+HWTEST_F(FileShareTest, File_share_IsValidPath_0003, testing::ext::TestSize.Level1)
+{
+    GTEST_LOG_(INFO) << "FileShareTest-begin File_share_IsValidPath_0003";
+    bool result = SandboxHelper::IsValidPath({"/test/\0test", 11});
+    EXPECT_FALSE(result);
+    result = SandboxHelper::IsValidPath({"/test/test/\0", 12});
+    EXPECT_FALSE(result);
+    result = SandboxHelper::IsValidPath({"/test\00/test", 11});
+    EXPECT_FALSE(result);
+    result = SandboxHelper::IsValidPath({"/test/test/\00", 12});
+    EXPECT_FALSE(result);
+    result = SandboxHelper::IsValidPath({"/test/\x0test", 11});
+    EXPECT_FALSE(result);
+    result = SandboxHelper::IsValidPath({"/test/test/\x0", 12});
+    EXPECT_FALSE(result);
+
+    result = SandboxHelper::IsValidPath("test/0/00/\test");
+    EXPECT_TRUE(result);
+    GTEST_LOG_(INFO) << "FileShareTest-end File_share_IsValidPath_0003";
+}
+
 /**
  * @tc.name: File_share_GetBackupPhysicalPath_0001
  * @tc.desc: Test function of GetBackupPhysicalPath() interface for SUCCESS.
-- 
Gitee