----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71532/#review218205 -----------------------------------------------------------
Ship it! Code change looks good. - kalyan kumar kalvagadda On Sept. 25, 2019, 6:54 a.m., Wenchao Li wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71532/ > ----------------------------------------------------------- > > (Updated Sept. 25, 2019, 6:54 a.m.) > > > Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li. > > > Bugs: SENTRY-2533 > https://issues.apache.org/jira/browse/SENTRY-2533 > > > Repository: sentry > > > Description > ------- > > HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which > disallowed some builtin UDFs such as java_method, reflect, reflect2 and > in_file. But Sentry does not black in_file up to now, so a malicious user can > use in_file in SQL queries to detect some specific files on the HS2 host, or > to detect whether a specific file has specific content. in_file should be > added to HIVE_UDF_BLACK_LIST. > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java > 5c433290972d5ffc52ef342678b6b11e48f28cef > > sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java > c6e14a56004a934a025cc7abb2fe6646e5d36768 > > > Diff: https://reviews.apache.org/r/71532/diff/1/ > > > Testing > ------- > > Added a unit test to test if it is properly blacked. > > > Thanks, > > Wenchao Li > >