[GitHub] spark pull request #16681: [SPARK-19334][SQL]Fix the code injection vulnerab...

[sarutak <gi...@git.apache.org>]

GitHub user sarutak opened a pull request:

    https://github.com/apache/spark/pull/16681

    [SPARK-19334][SQL]Fix the code injection vulnerability related to Generator functions.

    ## What changes were proposed in this pull request?
    
    Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
    In GenerateExec#codeGenAccessor, a variable name is created like as follows.
    
    ```
    val value = ctx.freshName(name)
    ```
    
    The variable `value` is named based on the value of the variable `name` and the value of `name` is from schema given by user so an attacker can attack with queries like as follows.
    
    ```
    SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))
    ```
    
    In the example above, a RuntimeException is thrown but attacker can replace it with arbitrary code.
    
    ## How was this patch tested?
    
    Added a new test case.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sarutak/spark SPARK-19334

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/spark/pull/16681.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #16681
    
----

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[SparkQA <gi...@git.apache.org>]

Github user SparkQA commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    **[Test build #71859 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/71859/testReport)** for PR 16681 at commit [`c01e077`](https://github.com/apache/spark/commit/c01e0770694f3eef385503ad5eba1257dcc0b73c).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[AmplabJenkins <gi...@git.apache.org>]

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    Test PASSed.
    Refer to this link for build results (access rights to CI server needed): 
    https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/71859/
    Test PASSed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request #16681: [SPARK-19334][SQL]Fix the code injection vulnerab...

[hvanhovell <gi...@git.apache.org>]

Github user hvanhovell commented on a diff in the pull request:

    https://github.com/apache/spark/pull/16681#discussion_r97386404
  
    --- Diff: sql/core/src/main/scala/org/apache/spark/sql/execution/GenerateExec.scala ---
    @@ -181,7 +181,13 @@ case class GenerateExec(
             val row = codeGenAccessor(ctx, data.value, "col", index, st, nullable, checks)
             val fieldChecks = checks ++ optionalCode(nullable, row.isNull)
             val columns = st.fields.toSeq.zipWithIndex.map { case (f, i) =>
    -          codeGenAccessor(ctx, row.value, f.name, i.toString, f.dataType, f.nullable, fieldChecks)
    +          codeGenAccessor(
    +            ctx,
    +            row.value,
    +            s"st_col${i}",
    +            i.toString,
    +            f.dataType,
    +            f.nullable, fieldChecks)
    --- End diff --
    
    Nit: new line.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[SparkQA <gi...@git.apache.org>]

Github user SparkQA commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    **[Test build #71883 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/71883/testReport)** for PR 16681 at commit [`081d4ef`](https://github.com/apache/spark/commit/081d4efdfb96b4d8216a8cb8c7ff03518f5a13c4).
     * This patch passes all tests.
     * This patch merges cleanly.
     * This patch adds no public classes.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[AmplabJenkins <gi...@git.apache.org>]

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    Merged build finished. Test PASSed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[SparkQA <gi...@git.apache.org>]

Github user SparkQA commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    **[Test build #71857 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/71857/testReport)** for PR 16681 at commit [`2ae7efc`](https://github.com/apache/spark/commit/2ae7efcb5b03512acb8dd70c4d6b8ae0aaddb2de).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[AmplabJenkins <gi...@git.apache.org>]

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    Test PASSed.
    Refer to this link for build results (access rights to CI server needed): 
    https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/71883/
    Test PASSed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request #16681: [SPARK-19334][SQL]Fix the code injection vulnerab...

[sarutak <gi...@git.apache.org>]

Github user sarutak commented on a diff in the pull request:

    https://github.com/apache/spark/pull/16681#discussion_r97460261
  
    --- Diff: sql/core/src/main/scala/org/apache/spark/sql/execution/GenerateExec.scala ---
    @@ -181,7 +181,13 @@ case class GenerateExec(
             val row = codeGenAccessor(ctx, data.value, "col", index, st, nullable, checks)
             val fieldChecks = checks ++ optionalCode(nullable, row.isNull)
             val columns = st.fields.toSeq.zipWithIndex.map { case (f, i) =>
    -          codeGenAccessor(ctx, row.value, f.name, i.toString, f.dataType, f.nullable, fieldChecks)
    +          codeGenAccessor(
    +            ctx,
    +            row.value,
    +            s"st_col${i}",
    +            i.toString,
    +            f.dataType,
    +            f.nullable, fieldChecks)
    --- End diff --
    
    Thanks. I've fixed it.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request #16681: [SPARK-19334][SQL]Fix the code injection vulnerab...

[asfgit <gi...@git.apache.org>]

Github user asfgit closed the pull request at:

    https://github.com/apache/spark/pull/16681


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[AmplabJenkins <gi...@git.apache.org>]

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    Merged build finished. Test PASSed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[SparkQA <gi...@git.apache.org>]

Github user SparkQA commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    **[Test build #71857 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/71857/testReport)** for PR 16681 at commit [`2ae7efc`](https://github.com/apache/spark/commit/2ae7efcb5b03512acb8dd70c4d6b8ae0aaddb2de).
     * This patch passes all tests.
     * This patch merges cleanly.
     * This patch adds no public classes.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[AmplabJenkins <gi...@git.apache.org>]

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    Merged build finished. Test PASSed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[SparkQA <gi...@git.apache.org>]

Github user SparkQA commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    **[Test build #71883 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/71883/testReport)** for PR 16681 at commit [`081d4ef`](https://github.com/apache/spark/commit/081d4efdfb96b4d8216a8cb8c7ff03518f5a13c4).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[hvanhovell <gi...@git.apache.org>]

Github user hvanhovell commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    LGTM. Merging to master. Thanks!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[SparkQA <gi...@git.apache.org>]

Github user SparkQA commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    **[Test build #71859 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/71859/testReport)** for PR 16681 at commit [`c01e077`](https://github.com/apache/spark/commit/c01e0770694f3eef385503ad5eba1257dcc0b73c).
     * This patch passes all tests.
     * This patch merges cleanly.
     * This patch adds no public classes.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #16681: [SPARK-19334][SQL]Fix the code injection vulnerability r...

[AmplabJenkins <gi...@git.apache.org>]

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/16681
  
    Test PASSed.
    Refer to this link for build results (access rights to CI server needed): 
    https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/71857/
    Test PASSed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org