[
https://issues.apache.org/jira/browse/HAWQ-59?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Goden Yao updated HAWQ-59:
--------------------------
Description:
>From security tool scanning: Attackers can control the filesystem path
>argument to setInputPaths() at
>[HdfsAnalyzer.java|https://github.com/apache/incubator-hawq/blob/master/pxf/pxf-hdfs/src/main/java/com/pivotal/pxf/plugins/hdfs/HdfsAnalyzer.java]
> line 128, which allows them to access or modify otherwise protected files.
{code:java}
Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws IOException
{
PxfInputFormat fformat = new PxfInputFormat();
PxfInputFormat.setInputPaths(jobConf, *path*);
...
}
{code}
_setInputPaths()_ uses a parameter passed from user:
{code:java}
Ln 59: @Override
public AnalyzerStats getEstimatedStats(String *datapath*) throws Exception {
long blockSize = 0;
long numberOfBlocks;
Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));
ArrayList<InputSplit> splits = getSplits(*path*);
...
}
{code}
was:
>From security tool scanning: Attackers can control the filesystem path
>argument to setInputPaths() at HdfsAnalyzer.java line 128, which allows them
>to access or modify otherwise protected files.
{code:java}
Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws IOException
{
PxfInputFormat fformat = new PxfInputFormat();
PxfInputFormat.setInputPaths(jobConf, *path*);
...
}
{code}
_setInputPaths()_ uses a parameter passed from user:
{code:java}
Ln 59: @Override
public AnalyzerStats getEstimatedStats(String *datapath*) throws Exception {
long blockSize = 0;
long numberOfBlocks;
Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));
ArrayList<InputSplit> splits = getSplits(*path*);
...
}
{code}
> Path Manipulation: HdfsAnalyzer.java
> ------------------------------------
>
> Key: HAWQ-59
> URL: https://issues.apache.org/jira/browse/HAWQ-59
> Project: Apache HAWQ
> Issue Type: Bug
> Components: PXF
> Reporter: Goden Yao
> Priority: Critical
> Labels: Security
>
> From security tool scanning: Attackers can control the filesystem path
> argument to setInputPaths() at
> [HdfsAnalyzer.java|https://github.com/apache/incubator-hawq/blob/master/pxf/pxf-hdfs/src/main/java/com/pivotal/pxf/plugins/hdfs/HdfsAnalyzer.java]
> line 128, which allows them to access or modify otherwise protected files.
> {code:java}
> Ln 128: private ArrayList<InputSplit> getSplits(Path *path*) throws
> IOException {
> PxfInputFormat fformat = new PxfInputFormat();
> PxfInputFormat.setInputPaths(jobConf, *path*);
> ...
> }
> {code}
> _setInputPaths()_ uses a parameter passed from user:
> {code:java}
> Ln 59: @Override
> public AnalyzerStats getEstimatedStats(String *datapath*) throws
> Exception {
> long blockSize = 0;
> long numberOfBlocks;
> Path *path* = new Path(HdfsUtilities.absoluteDataPath(*datapath*));
> ArrayList<InputSplit> splits = getSplits(*path*);
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
