GitHub user sarutak opened a pull request:
https://github.com/apache/spark/pull/16681
[SPARK-19334][SQL]Fix the code injection vulnerability related to Generator
functions.
## What changes were proposed in this pull request?
Similar to SPARK-15165, codegen is in danger of arbitrary code injection.
The root cause is how variable names are created by codegen.
In GenerateExec#codeGenAccessor, a variable name is created like as follows.
```
val value = ctx.freshName(name)
```
The variable `value` is named based on the value of the variable `name` and
the value of `name` is from schema given by user so an attacker can attack with
queries like as follows.
```
SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public
void f() {throw new RuntimeException("This exception is injected.");} public
int x;}.x`:int>)))
```
In the example above, a RuntimeException is thrown but attacker can replace
it with arbitrary code.
## How was this patch tested?
Added a new test case.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/sarutak/spark SPARK-19334
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/16681.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #16681
----
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
