You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by "Goden Yao (JIRA)" <ji...@apache.org> on 2015/10/14 22:03:05 UTC

[jira] [Created] (HAWQ-59) Path Manipulation: HdfsAnalyzer.java

Goden Yao created HAWQ-59:
-----------------------------

             Summary: Path Manipulation: HdfsAnalyzer.java
                 Key: HAWQ-59
                 URL: https://issues.apache.org/jira/browse/HAWQ-59
             Project: Apache HAWQ
          Issue Type: Bug
          Components: PXF
            Reporter: Goden Yao
            Priority: Critical


>From security tool scanning: Attackers can control the filesystem path argument to setInputPaths() at HdfsAnalyzer.java line 128, which allows them to access or modify otherwise protected files.

{code:java}
Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws IOException {
        PxfInputFormat fformat = new PxfInputFormat();
        PxfInputFormat.setInputPaths(jobConf, *path*);
...
}
{code}

_setInputPaths()_ uses a parameter passed from user:
{code:java}
Ln 59: @Override
    public AnalyzerStats getEstimatedStats(String *datapath*) throws Exception {
        long blockSize = 0;
        long numberOfBlocks;
        Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));

        ArrayList<InputSplit> splits = getSplits(*path*);
     ...
}
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)