You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Goden Yao (JIRA)" <ji...@apache.org> on 2015/10/14 22:03:05 UTC
[jira] [Updated] (HAWQ-59) Path Manipulation: HdfsAnalyzer.java
[ https://issues.apache.org/jira/browse/HAWQ-59?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Goden Yao updated HAWQ-59:
--------------------------
Labels: Security (was: )
> Path Manipulation: HdfsAnalyzer.java
> ------------------------------------
>
> Key: HAWQ-59
> URL: https://issues.apache.org/jira/browse/HAWQ-59
> Project: Apache HAWQ
> Issue Type: Bug
> Components: PXF
> Reporter: Goden Yao
> Priority: Critical
> Labels: Security
>
> From security tool scanning: Attackers can control the filesystem path argument to setInputPaths() at HdfsAnalyzer.java line 128, which allows them to access or modify otherwise protected files.
> {code:java}
> Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws IOException {
> PxfInputFormat fformat = new PxfInputFormat();
> PxfInputFormat.setInputPaths(jobConf, *path*);
> ...
> }
> {code}
> _setInputPaths()_ uses a parameter passed from user:
> {code:java}
> Ln 59: @Override
> public AnalyzerStats getEstimatedStats(String *datapath*) throws Exception {
> long blockSize = 0;
> long numberOfBlocks;
> Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));
> ArrayList<InputSplit> splits = getSplits(*path*);
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)