[
https://issues.apache.org/jira/browse/SPARK-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Herman van Hovell resolved SPARK-19334.
---------------------------------------
Resolution: Fixed
Fix Version/s: 2.2.0
Target Version/s: 2.2.0 (was: 2.1.1)
> Fix the code injection vulnerability related to Generator functions.
> --------------------------------------------------------------------
>
> Key: SPARK-19334
> URL: https://issues.apache.org/jira/browse/SPARK-19334
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 2.1.0
> Reporter: Kousuke Saruta
> Priority: Blocker
> Fix For: 2.2.0
>
>
> Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The
> root cause is how variable names are created by codegen.
> In GenerateExec#codeGenAccessor, a variable name is created like as follows.
> {code}
> val value = ctx.freshName(name)
> {code}
> The variable `value` is named based on the value of the variable `name` and
> the value of `name` is from schema given by user so an attacker can attack
> with queries like as follows.
> {code}
> SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public
> void f() {throw new RuntimeException("This exception is injected.");} public
> int x;}.x`:int>)))
> {code}
> In the example above, a RuntimeException is thrown but attacker can replace
> it with arbitrary code.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
