alamb commented on code in PR #7058:
URL: https://github.com/apache/arrow-datafusion/pull/7058#discussion_r1273403499
##########
datafusion/core/src/datasource/listing/url.rs:
##########
@@ -87,6 +88,34 @@ impl ListingTableUrl {
}
}
+ /// Perform shell-like path expansions
+ /// * Home directory expansion: "~/test.csv" expands to
"/Users/user1/test.csv"
+ /// * Environment variable expansion: "$HOME/$DATA/test.csv" expands to
+ /// "/Users/user1/data/test.csv"
+ fn expand_path_prefix(prefix: &str) -> Result<String, DataFusionError> {
+ let error_msg = format!("Failed to perform shell expansion in path:
{prefix}");
+
+ let expanded_dir_output = Command::new("sh")
+ .arg("-c")
+ .arg(&format!("echo {prefix}"))
Review Comment:
This seems like it may be subject to a shell injection attack.
For example, what if someone did
```sql
CREATE EXTERNAL TABLE foo LOCATED AT '"\"hi"; rm -rf /"'
```
Could this potentially `rm -rf` the filesystem?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
