You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by "Goden Yao (JIRA)" <ji...@apache.org> on 2016/07/14 18:27:21 UTC

[jira] [Reopened] (HAWQ-59) Path Manipulation: HdfsAnalyzer.java

     [ https://issues.apache.org/jira/browse/HAWQ-59?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Goden Yao reopened HAWQ-59:
---------------------------

reopen to update version

> Path Manipulation: HdfsAnalyzer.java
> ------------------------------------
>
>                 Key: HAWQ-59
>                 URL: https://issues.apache.org/jira/browse/HAWQ-59
>             Project: Apache HAWQ
>          Issue Type: Bug
>          Components: PXF
>            Reporter: Goden Yao
>            Assignee: Goden Yao
>            Priority: Critical
>              Labels: Security
>
> From security tool scanning: Attackers can control the filesystem path argument to setInputPaths() at [HdfsAnalyzer.java|https://github.com/apache/incubator-hawq/blob/master/pxf/pxf-hdfs/src/main/java/com/pivotal/pxf/plugins/hdfs/HdfsAnalyzer.java] line 128, which allows them to access or modify otherwise protected files.
> {code:java}
> Ln 128: private ArrayList<InputSplit> getSplits(Path path) throws IOException {
>         PxfInputFormat fformat = new PxfInputFormat();
>         PxfInputFormat.setInputPaths(jobConf, path);
> ...
> }
> {code}
> _setInputPaths()_ uses a parameter passed from user:
> {code:java}
> Ln 59: @Override
>     public AnalyzerStats getEstimatedStats(String datapath) throws Exception {
>         long blockSize = 0;
>         long numberOfBlocks;
>         Path *path* = new Path(HdfsUtilities.absoluteDataPath(datapath));
>         ArrayList<InputSplit> splits = getSplits(path);
>      ...
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)