soumasish commented on code in PR #48941:
URL: https://github.com/apache/spark/pull/48941#discussion_r1865633604
##########
launcher/src/main/java/org/apache/spark/launcher/SparkSubmitCommandBuilder.java:
##########
@@ -339,6 +344,24 @@ private void checkJavaOptions(String javaOptions) {
}
}
+ /**
+ * Sanitizes the configuration value to prevent command injection
vulnerabilities.
+ * Removes shell metacharacters that could be used to manipulate shell
commands.
+ *
+ * References:
+ * - OWASP Command Injection Prevention Cheat Sheet
+ *
(https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)
+ */
+ private String sanitizeExtraJavaOptions(String value) {
+ if (value != null) {
+ String[] unsafeChars = {"`", "$(", ")", "&", "|", "<", ";", ">", "*",
"?"};
+ for (String unsafeChar : unsafeChars) {
+ value = value.replace(unsafeChar, "");
Review Comment:
@srowen That makes sense, I've changed it to use regex.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
