[
https://issues.apache.org/jira/browse/OOZIE-3330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16588434#comment-16588434
]
Julia Kinga Marton commented on OOZIE-3330:
-------------------------------------------
The comment with the results is missing, but there are 2 new bugs reported by
FindBugs. [~asalamon74], can you please check them?
The most important FindBugs errors are:
At SparkOptionsSplitter.java:[line 140]: The regular expression
"([a-zA-Z0-9.]+=)?".+"" is vulnerable to a denial of service attack (ReDOS)
At SparkOptionsSplitter.java:[line 141]: The regular expression
"([a-zA-Z0-9.]+=)?.*(\\w\\s+"\\w+[\\s+\\w]*"|"\\w+[\\s+\\w]*"\\s+\\w)+.*" is
vulnerable to a denial of service attack (ReDOS)
> [spark-action] Remove double quotes inside plain option values
> --------------------------------------------------------------
>
> Key: OOZIE-3330
> URL: https://issues.apache.org/jira/browse/OOZIE-3330
> Project: Oozie
> Issue Type: Bug
> Components: action
> Affects Versions: 5.0.0
> Reporter: Andras Piros
> Assignee: Andras Salamon
> Priority: Major
> Fix For: 5.1.0
>
> Attachments: OOZIE-3330-1.patch, OOZIE-3330.000.wip.patch
>
>
> For Spark action parametrization, OOZIE-2984 fixed the case where users tried
> to put quoted values inside assembled options, like {{--conf name1="value1
> value2"}}. The underlying Spark executor JVM treats {{"value1 value2"}} as
> one value with the quotes - we needed to remove these before passing to Spark.
> We have to extend that approach for plain option values like this: {{--name
> "value1 value2"}} where we also need to remove the quotes.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
