[PR] [SPARK-57448][SQL] Support `spark.sql.reflect.allowList` to restrict methods invoked by `reflect/java_method` [spark]

Sun, 14 Jun 2026 15:38:04 -0700 


dongjoon-hyun opened a new pull request, #56509:
URL: https://github.com/apache/spark/pull/56509

   ### What changes were proposed in this pull request?
   
   Add a static SQL config `spark.sql.reflect.allowList` that restricts which 
static methods the `reflect`/`java_method` SQL functions 
(`CallMethodViaReflection`) may invoke.
   
   - Comma-separated list of regexes; a call is allowed only when its canonical 
`class.method` name fully matches at least one pattern, checked during 
analysis. A disallowed call fails with the new 
`DATATYPE_MISMATCH.METHOD_NOT_ALLOWED` error.
   - Static config: fixed at `SparkSession` creation, not overridable via `SET`.
   - Empty (the default) allows all calls, preserving existing behavior.
   - Each entry is validated as a regex at set time via `checkValue`.
   
   ### Why are the changes needed?
   
   `reflect`/`java_method` can invoke arbitrary static Java methods. When Spark 
runs as a multi-tenant server accepting SQL from untrusted clients (e.g. a 
Spark Connect server or the Thrift JDBC/ODBC server), a client could call 
sensitive methods such as `java.lang.System.exit` to kill the server JVM. A 
static allow list lets admins restrict callable methods, and it cannot be 
relaxed at runtime.
   
   ### Does this PR introduce _any_ user-facing change?
   
   Yes. A new static SQL config `spark.sql.reflect.allowList` (default empty = 
allow all; no change unless set). When set, calls not matching any pattern fail 
during analysis:
   
   ```
   $ spark-sql --conf "spark.sql.reflect.allowList=java\.util\.UUID\..*"
   spark-sql> SELECT reflect('java.lang.System', 'exit', 0);
   [DATATYPE_MISMATCH.METHOD_NOT_ALLOWED] ... the method exit of the class
   java.lang.System does not match the allow list "spark.sql.reflect.allowList"
   ```
   
   ### How was this patch tested?
   
   New unit tests in `CallMethodViaReflectionSuite` (empty / matching / 
non-matching / regex, and invalid-pattern rejection). Also ran 
`SparkThrowableSuite`.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Claude Opus 4.8)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to