You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/06/15 07:41:00 UTC

[jira] [Commented] (HIVE-22073) SQL Injection in TxnHandler#enqueueLockWithRetry

    [ https://issues.apache.org/jira/browse/HIVE-22073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554434#comment-17554434 ] 

Colm O hEigeartaigh commented on HIVE-22073:
--------------------------------------------

I commented on https://issues.apache.org/jira/browse/HIVE-20607 that the fix doesn't appear to have been backported to the 3.2 branch, despite the comment saying that is has. Could someone take a look to backport the issue to 3.2?

> SQL Injection in TxnHandler#enqueueLockWithRetry
> ------------------------------------------------
>
>                 Key: HIVE-22073
>                 URL: https://issues.apache.org/jira/browse/HIVE-22073
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 3.1.1
>            Reporter: Piotr Findeisen
>            Priority: Critical
>
> The {{org.apache.hadoop.hive.metastore.txn.TxnHandler#enqueueLockWithRetry}} method gets called for Thrift {{lock}} API call with input passed from the user.
> Within that method there is SQL injection possible:
> [https://github.com/apache/hive/blob/774a8ef7a6e92c8a43cad2fa66bd944e666f75f0/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/txn/TxnHandler.java#L1987-L1991]
> for example, when partition name contains an apostrophe.
>  
> Impact:
>  * vulnerability: privilege escalation possible
>  * availability: user cannot query ACID table where string/varchar partition key contains an apostrophe
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)