You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Herman van Hovell (JIRA)" <ji...@apache.org> on 2017/01/24 22:37:26 UTC
[jira] [Updated] (SPARK-19334) Fix the code injection vulnerability
related to Generator functions.
[ https://issues.apache.org/jira/browse/SPARK-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Herman van Hovell updated SPARK-19334:
--------------------------------------
Assignee: Kousuke Saruta
> Fix the code injection vulnerability related to Generator functions.
> --------------------------------------------------------------------
>
> Key: SPARK-19334
> URL: https://issues.apache.org/jira/browse/SPARK-19334
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 2.1.0
> Reporter: Kousuke Saruta
> Assignee: Kousuke Saruta
> Priority: Blocker
> Fix For: 2.2.0
>
>
> Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
> In GenerateExec#codeGenAccessor, a variable name is created like as follows.
> {code}
> val value = ctx.freshName(name)
> {code}
> The variable `value` is named based on the value of the variable `name` and the value of `name` is from schema given by user so an attacker can attack with queries like as follows.
> {code}
> SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))
> {code}
> In the example above, a RuntimeException is thrown but attacker can replace it with arbitrary code.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org