You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2017/09/09 04:49:00 UTC

[jira] [Commented] (PHOENIX-4189) Avoid direct use of ObjectInputStream in Hive integration

    [ https://issues.apache.org/jira/browse/PHOENIX-4189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16159740#comment-16159740 ] 

Josh Elser commented on PHOENIX-4189:
-------------------------------------

The static inner-class LookAheadObjectInputStream on PrimaryKeyData is the one that is a little hokey.

While it makes sense when the PrimaryKeyData object is deserialized, the members are also deserialized through that method: {{HashMap}}, {{String}}, and all of the values in the {{Map}}.

I can't seem to be able to get the HiveITs running on my laptop (with master). let's see what QA says.

> Avoid direct use of ObjectInputStream in Hive integration
> ---------------------------------------------------------
>
>                 Key: PHOENIX-4189
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4189
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.12.0
>
>         Attachments: PHOENIX-4189.001.patch
>
>
> Another security scan ding, but not a very big concern.
> We use ObjectInputStream to serialize/deserialize a Map which contains the columns+values of the primary key constraint. The problem with ObjectInputStream is that it doesn't care what Class it deserializes. If a malicious user can someone coerce some unknowing user to use an InputSplit that has this specially crafted class, we can get into an arbitrary code execution.
> https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to work around this issue in code, but it leaves a bit to be desired. The ObjectInputStream recursively calls itself as it deserializes the fields in the Object. By trusting some classes from the packages java.lang, java.util, and java.sql, I believe we can remove this minor concern.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)