You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by sr...@apache.org on 2023/03/28 03:48:28 UTC

[spark] branch branch-3.4 updated: [SPARK-42922][SQL] Move from Random to SecureRandom

This is an automated email from the ASF dual-hosted git repository.

srowen pushed a commit to branch branch-3.4
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-3.4 by this push:
     new 2cd341f7e36 [SPARK-42922][SQL] Move from Random to SecureRandom
2cd341f7e36 is described below

commit 2cd341f7e36525f0de1fe5447809a5cda92a6769
Author: Mridul Muralidharan <mridulatgmail.com>
AuthorDate: Mon Mar 27 22:48:05 2023 -0500

    [SPARK-42922][SQL] Move from Random to SecureRandom
    
    ### What changes were proposed in this pull request?
    
    Most uses of `Random` in spark are either in testcases or where we need a pseudo random number which is repeatable.
    Use `SecureRandom`, instead of `Random` for the cases where it impacts security.
    
    ### Why are the changes needed?
    
    Use of `SecureRandom` in more security sensitive contexts.
    This was flagged in our internal scans as well.
    
    ### Does this PR introduce _any_ user-facing change?
    
    Directly no.
    Would improve security posture of Apache Spark.
    
    ### How was this patch tested?
    
    Existing unit tests
    
    Closes #40568 from mridulm/SPARK-42922.
    
    Authored-by: Mridul Muralidharan <mridulatgmail.com>
    Signed-off-by: Sean Owen <sr...@gmail.com>
    (cherry picked from commit 744434358cb0c687b37d37dd62f2e7d837e52b2d)
    Signed-off-by: Sean Owen <sr...@gmail.com>
---
 .../src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java    | 5 +++--
 .../java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java   | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java
index 4183cba0c68..08a8258db06 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java
@@ -20,11 +20,11 @@ package org.apache.hive.service.auth;
 import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedExceptionAction;
+import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
-import java.util.Random;
 import java.util.Set;
 import java.util.StringTokenizer;
 
@@ -57,6 +57,7 @@ public final class HttpAuthUtils {
   private static final String COOKIE_KEY_VALUE_SEPARATOR = "=";
   private static final Set<String> COOKIE_ATTRIBUTES =
     new HashSet<String>(Arrays.asList(COOKIE_CLIENT_USER_NAME, COOKIE_CLIENT_RAND_NUMBER));
+  private static final SecureRandom random = new SecureRandom();
 
   /**
    * @return Stringified Base64 encoded kerberosAuthHeader on success
@@ -95,7 +96,7 @@ public final class HttpAuthUtils {
     sb.append(COOKIE_CLIENT_USER_NAME).append(COOKIE_KEY_VALUE_SEPARATOR).append(clientUserName)
       .append(COOKIE_ATTR_SEPARATOR);
     sb.append(COOKIE_CLIENT_RAND_NUMBER).append(COOKIE_KEY_VALUE_SEPARATOR)
-      .append((new Random(System.currentTimeMillis())).nextLong());
+      .append(random.nextLong());
     return sb.toString();
   }
 
diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
index f0f5cdcd38f..712b1d49eac 100644
--- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
+++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java
@@ -20,8 +20,8 @@ package org.apache.hive.service.cli.thrift;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.PrivilegedExceptionAction;
+import java.security.SecureRandom;
 import java.util.Map;
-import java.util.Random;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
@@ -76,7 +76,7 @@ public class ThriftHttpServlet extends TServlet {
   // Class members for cookie based authentication.
   private CookieSigner signer;
   public static final String AUTH_COOKIE = "hive.server2.auth";
-  private static final Random RAN = new Random();
+  private static final SecureRandom RAN = new SecureRandom();
   private boolean isCookieAuthEnabled;
   private String cookieDomain;
   private String cookiePath;


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org