You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oozie.apache.org by "Julia Kinga Marton (JIRA)" <ji...@apache.org> on 2018/08/22 06:27:00 UTC

[jira] [Comment Edited] (OOZIE-3330) [spark-action] Remove double quotes inside plain option values

    [ https://issues.apache.org/jira/browse/OOZIE-3330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16588434#comment-16588434 ] 

Julia Kinga Marton edited comment on OOZIE-3330 at 8/22/18 6:26 AM:
--------------------------------------------------------------------

The comment with the results is missing, but there are 2 new bugs reported by FindBugs. [~asalamon74], can you please check them?
{noformat}
The most important FindBugs errors are:
 At SparkOptionsSplitter.java:[line 140]: The regular expression "([a-zA-Z0-9.]=)?"."" is vulnerable to a denial of service attack (ReDOS)
 At SparkOptionsSplitter.java:[line 141]: The regular expression "([a-zA-Z0-9.]=)?.(\\w\\s"\\w+\\s+\\w"|"\\w+\\s+\\w"\\s+
w)+." is vulnerable to a denial of service attack (ReDOS){noformat}


was (Author: kmarton):
The comment with the results is missing, but there are 2 new bugs reported by FindBugs. [~asalamon74], can you please check them?
The most important FindBugs errors are:
 At SparkOptionsSplitter.java:[line 140]: The regular expression "([a-zA-Z0-9.]+=)?".+"" is vulnerable to a denial of service attack (ReDOS)
 At SparkOptionsSplitter.java:[line 141]: The regular expression "([a-zA-Z0-9.]+=)?.*(\\w\\s+"\\w+[\\s+\\w]*"|"\\w+[\\s+\\w]*"\\s+\\w)+.*" is vulnerable to a denial of service attack (ReDOS)

> [spark-action] Remove double quotes inside plain option values
> --------------------------------------------------------------
>
>                 Key: OOZIE-3330
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3330
>             Project: Oozie
>          Issue Type: Bug
>          Components: action
>    Affects Versions: 5.0.0
>            Reporter: Andras Piros
>            Assignee: Andras Salamon
>            Priority: Major
>             Fix For: 5.1.0
>
>         Attachments: OOZIE-3330-1.patch, OOZIE-3330.000.wip.patch
>
>
> For Spark action parametrization, OOZIE-2984 fixed the case where users tried to put quoted values inside assembled options, like {{--conf name1="value1 value2"}}. The underlying Spark executor JVM treats {{"value1 value2"}} as one value with the quotes - we needed to remove these before passing to Spark.
> We have to extend that approach for plain option values like this: {{--name "value1 value2"}} where we also need to remove the quotes.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)