okumin commented on code in PR #5837:
URL: https://github.com/apache/hive/pull/5837#discussion_r2121425397
##########
ql/src/java/org/apache/hadoop/hive/ql/exec/vector/expressions/VectorUDFDayOfWeekString.java:
##########
@@ -49,15 +41,16 @@ public VectorUDFDayOfWeekString() {
@Override
protected long getField(byte[] bytes, int start, int length) throws
ParseException {
- Date date = null;
try {
String decoded = Text.decode(bytes, start, length);
- date = format.parse(decoded);
+ Date date = DateParser.parseDate(decoded.toString());
+ if (date == null) {
+ throw new ParseException("Unable to parse date string: " + decoded, 0);
Review Comment:
I honestly don't know the exact security policy of Hive, and I may be
overthinking it. When I examined the relevant codes, I found that no piece had
exposed the argument or row. Is it possible that we should not expose
`decoded`? Say a malicious user submits `SELECT DAY_OF_WEEK(credit_card_number)
FROM pii_table`. A card number can be stored in HS2's log files or a client
system, such as Apache Airflow. I'm considering what semantics are desirable.
Related:
https://issues.apache.org/jira/browse/HIVE-20644
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
