You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by sr...@apache.org on 2023/03/28 03:48:28 UTC
[spark] branch branch-3.4 updated: [SPARK-42922][SQL] Move from Random to SecureRandom
This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch branch-3.4
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.4 by this push:
new 2cd341f7e36 [SPARK-42922][SQL] Move from Random to SecureRandom
2cd341f7e36 is described below
commit 2cd341f7e36525f0de1fe5447809a5cda92a6769
Author: Mridul Muralidharan <mridulatgmail.com>
AuthorDate: Mon Mar 27 22:48:05 2023 -0500
[SPARK-42922][SQL] Move from Random to SecureRandom
### What changes were proposed in this pull request?
Most uses of `Random` in spark are either in testcases or where we need a pseudo random number which is repeatable.
Use `SecureRandom`, instead of `Random` for the cases where it impacts security.
### Why are the changes needed?
Use of `SecureRandom` in more security sensitive contexts.
This was flagged in our internal scans as well.
### Does this PR introduce _any_ user-facing change?
Directly no.
Would improve security posture of Apache Spark.
### How was this patch tested?
Existing unit tests
Closes #40568 from mridulm/SPARK-42922.
Authored-by: Mridul Muralidharan <mridulatgmail.com>
Signed-off-by: Sean Owen <sr...@gmail.com>
(cherry picked from commit 744434358cb0c687b37d37dd62f2e7d837e52b2d)
Signed-off-by: Sean Owen <sr...@gmail.com>
---
.../src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java | 5 +++--
.../java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java | 4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java
index 4183cba0c68..08a8258db06 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java
@@ -20,11 +20,11 @@ package org.apache.hive.service.auth;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
+import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
-import java.util.Random;
import java.util.Set;
import java.util.StringTokenizer;
@@ -57,6 +57,7 @@ public final class HttpAuthUtils {
private static final String COOKIE_KEY_VALUE_SEPARATOR = "=";
private static final Set<String> COOKIE_ATTRIBUTES =
new HashSet<String>(Arrays.asList(COOKIE_CLIENT_USER_NAME, COOKIE_CLIENT_RAND_NUMBER));
+ private static final SecureRandom random = new SecureRandom();
/**
* @return Stringified Base64 encoded kerberosAuthHeader on success
@@ -95,7 +96,7 @@ public final class HttpAuthUtils {
sb.append(COOKIE_CLIENT_USER_NAME).append(COOKIE_KEY_VALUE_SEPARATOR).append(clientUserName)
.append(COOKIE_ATTR_SEPARATOR);
sb.append(COOKIE_CLIENT_RAND_NUMBER).append(COOKIE_KEY_VALUE_SEPARATOR)
- .append((new Random(System.currentTimeMillis())).nextLong());
+ .append(random.nextLong());
return sb.toString();
}
diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
index f0f5cdcd38f..712b1d49eac 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
@@ -20,8 +20,8 @@ package org.apache.hive.service.cli.thrift;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.PrivilegedExceptionAction;
+import java.security.SecureRandom;
import java.util.Map;
-import java.util.Random;
import java.util.Set;
import java.util.concurrent.TimeUnit;
@@ -76,7 +76,7 @@ public class ThriftHttpServlet extends TServlet {
// Class members for cookie based authentication.
private CookieSigner signer;
public static final String AUTH_COOKIE = "hive.server2.auth";
- private static final Random RAN = new Random();
+ private static final SecureRandom RAN = new SecureRandom();
private boolean isCookieAuthEnabled;
private String cookieDomain;
private String cookiePath;
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org