GitHub user sarutak opened a pull request:
https://github.com/apache/spark/pull/12939
[SPARK-15165][SQL] Codegen can break because toCommentSafeString is not
actually safe
## What changes were proposed in this pull request?
toCommentSafeString method replaces "\u" with "\\u" to avoid codegen
breaking.
But if the even number of "\" is put before "u", like "\\u", in the string
literal in the query, codegen can break.
Following code occurs compilation error.
```
val df = Seq(...).toDF
df.select("'\\\\\\\\u002A/'").show
```
The reason of the compilation error is because "\\\\\\\\u002A/" is
translated into "*/" (the end of comment).
Due to this unsafety, arbitrary code can be injected like as follows.
```
val df = Seq(...).toDF
// Inject "System.exit(1)"
df.select("'\\\\\\\\u002A/{System.exit(1);}/*'").show
```
## How was this patch tested?
Added new test cases.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/sarutak/spark SPARK-15165
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/12939.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #12939
----
commit 30ad0819103d35b612c52000bcdcd0b5daa798e1
Author: Kousuke Saruta <[email protected]>
Date: 2016-05-05T22:04:08Z
Made toCommentSafeString method safer
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
