[
https://issues.apache.org/jira/browse/HAWQ-59?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Goden Yao updated HAWQ-59:
--------------------------
Labels: Security (was: )
> Path Manipulation: HdfsAnalyzer.java
> ------------------------------------
>
> Key: HAWQ-59
> URL: https://issues.apache.org/jira/browse/HAWQ-59
> Project: Apache HAWQ
> Issue Type: Bug
> Components: PXF
> Reporter: Goden Yao
> Priority: Critical
> Labels: Security
>
> From security tool scanning: Attackers can control the filesystem path
> argument to setInputPaths() at HdfsAnalyzer.java line 128, which allows them
> to access or modify otherwise protected files.
> {code:java}
> Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws
> IOException {
> PxfInputFormat fformat = new PxfInputFormat();
> PxfInputFormat.setInputPaths(jobConf, *path*);
> ...
> }
> {code}
> _setInputPaths()_ uses a parameter passed from user:
> {code:java}
> Ln 59: @Override
> public AnalyzerStats getEstimatedStats(String *datapath*) throws
> Exception {
> long blockSize = 0;
> long numberOfBlocks;
> Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));
> ArrayList<InputSplit> splits = getSplits(*path*);
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
