This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new 84387394c387 [SPARK-46965][CORE] Check `logType` in `Utils.getLog`
84387394c387 is described below
commit 84387394c387c7a6c171714f5d45d517b6bec7af
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Fri Feb 2 17:22:32 2024 -0800
[SPARK-46965][CORE] Check `logType` in `Utils.getLog`
### What changes were proposed in this pull request?
This PR aims to check `logType` in `Utils.getLog`.
### Why are the changes needed?
To prevent security vulnerability.
### Does this PR introduce _any_ user-facing change?
No. This is a new module which is not released yet.
### How was this patch tested?
Manually.
**BEFORE**
```
$ sbin/start-master.sh
$ curl -s
'http://localhost:8080/logPage/self?logType=../../../../../../etc/nfs.conf' |
grep NFS
# nfs.conf: the NFS configuration file
```
**AFTER**
```
$ sbin/start-master.sh
$ curl -s
'http://localhost:8080/logPage/self?logType=../../../../../../etc/nfs.conf' |
grep NFS
```
For `Spark History Server`, the same check with 18080 port.
```
$ curl -s
'http://localhost:18080/logPage/self?logType=../../../../../../../etc/nfs.conf'
| grep NFS
```
### Was this patch authored or co-authored using generative AI tooling?
No
Closes #45006 from dongjoon-hyun/SPARK-46965.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
---
core/src/main/scala/org/apache/spark/deploy/Utils.scala | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/core/src/main/scala/org/apache/spark/deploy/Utils.scala
b/core/src/main/scala/org/apache/spark/deploy/Utils.scala
index 9bbcc9f314b2..32328ae1e07a 100644
--- a/core/src/main/scala/org/apache/spark/deploy/Utils.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/Utils.scala
@@ -32,6 +32,7 @@ import org.apache.spark.util.logging.RollingFileAppender
*/
private[deploy] object Utils extends Logging {
val DEFAULT_BYTES = 100 * 1024
+ val SUPPORTED_LOG_TYPES = Set("stderr", "stdout", "out")
def addRenderLogHandler(page: WebUI, conf: SparkConf): Unit = {
page.attachHandler(createServletHandler("/log",
@@ -58,6 +59,9 @@ private[deploy] object Utils extends Logging {
logType: String,
offsetOption: Option[Long],
byteLength: Int): (String, Long, Long, Long) = {
+ if (!SUPPORTED_LOG_TYPES.contains(logType)) {
+ return ("Error: Log type must be one of " +
SUPPORTED_LOG_TYPES.mkString(", "), 0, 0, 0)
+ }
try {
// Find a log file name
val fileName = if (logType.equals("out")) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
