tgravescs commented on PR #48941: URL: https://github.com/apache/spark/pull/48941#issuecomment-2518044028
so am I missing what the actual attack surface is here? Is there some escalation of privileges allowed by this? In Spark you can run arbitrary code, so whether this code is executed via this injection or just as code in the Spark Driver or map function on executors I'm not seeing what the difference is? If you are allowed to change the configuration flags passed to the Spark application, couldn't you just submit your own application like I mention above? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
