Goden Yao created HAWQ-59:
-----------------------------

             Summary: Path Manipulation: HdfsAnalyzer.java
                 Key: HAWQ-59
                 URL: https://issues.apache.org/jira/browse/HAWQ-59
             Project: Apache HAWQ
          Issue Type: Bug
          Components: PXF
            Reporter: Goden Yao
            Priority: Critical


>From security tool scanning: Attackers can control the filesystem path 
>argument to setInputPaths() at HdfsAnalyzer.java line 128, which allows them 
>to access or modify otherwise protected files.

{code:java}
Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws IOException 
{
        PxfInputFormat fformat = new PxfInputFormat();
        PxfInputFormat.setInputPaths(jobConf, *path*);
...
}
{code}

_setInputPaths()_ uses a parameter passed from user:
{code:java}
Ln 59: @Override
    public AnalyzerStats getEstimatedStats(String *datapath*) throws Exception {
        long blockSize = 0;
        long numberOfBlocks;
        Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));

        ArrayList<InputSplit> splits = getSplits(*path*);
     ...
}
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to