You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by "Goden Yao (JIRA)" <ji...@apache.org> on 2016/07/14 18:28:20 UTC
[jira] [Closed] (HAWQ-59) Path Manipulation: HdfsAnalyzer.java
[ https://issues.apache.org/jira/browse/HAWQ-59?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Goden Yao closed HAWQ-59.
-------------------------
Resolution: Not A Problem
Fix Version/s: 2.0.0.0-incubating
> Path Manipulation: HdfsAnalyzer.java
> ------------------------------------
>
> Key: HAWQ-59
> URL: https://issues.apache.org/jira/browse/HAWQ-59
> Project: Apache HAWQ
> Issue Type: Bug
> Components: PXF
> Reporter: Goden Yao
> Assignee: Goden Yao
> Priority: Critical
> Labels: Security
> Fix For: 2.0.0.0-incubating
>
>
> From security tool scanning: Attackers can control the filesystem path argument to setInputPaths() at [HdfsAnalyzer.java|https://github.com/apache/incubator-hawq/blob/master/pxf/pxf-hdfs/src/main/java/com/pivotal/pxf/plugins/hdfs/HdfsAnalyzer.java] line 128, which allows them to access or modify otherwise protected files.
> {code:java}
> Ln 128: private ArrayList<InputSplit> getSplits(Path path) throws IOException {
> PxfInputFormat fformat = new PxfInputFormat();
> PxfInputFormat.setInputPaths(jobConf, path);
> ...
> }
> {code}
> _setInputPaths()_ uses a parameter passed from user:
> {code:java}
> Ln 59: @Override
> public AnalyzerStats getEstimatedStats(String datapath) throws Exception {
> long blockSize = 0;
> long numberOfBlocks;
> Path *path* = new Path(HdfsUtilities.absoluteDataPath(datapath));
> ArrayList<InputSplit> splits = getSplits(path);
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)