(spark) branch master updated: [SPARK-46965][CORE] Check `logType` in `Utils.getLog`

Fri, 02 Feb 2024 17:22:48 -0800 

This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/master by this push:
     new 84387394c387 [SPARK-46965][CORE] Check `logType` in `Utils.getLog`
84387394c387 is described below

commit 84387394c387c7a6c171714f5d45d517b6bec7af
Author: Dongjoon Hyun <dh...@apple.com>
AuthorDate: Fri Feb 2 17:22:32 2024 -0800

    [SPARK-46965][CORE] Check `logType` in `Utils.getLog`
    
    ### What changes were proposed in this pull request?
    
    This PR aims to check `logType` in `Utils.getLog`.
    
    ### Why are the changes needed?
    
    To prevent security vulnerability.
    
    ### Does this PR introduce _any_ user-facing change?
    
    No. This is a new module which is not released yet.
    
    ### How was this patch tested?
    
    Manually.
    
    **BEFORE**
    ```
    $ sbin/start-master.sh
    $ curl -s 
'http://localhost:8080/logPage/self?logType=../../../../../../etc/nfs.conf' | 
grep NFS
    # nfs.conf: the NFS configuration file
    ```
    
    **AFTER**
    ```
    $ sbin/start-master.sh
    $ curl -s 
'http://localhost:8080/logPage/self?logType=../../../../../../etc/nfs.conf' | 
grep NFS
    ```
    
    For `Spark History Server`, the same check with 18080 port.
    ```
    $ curl -s 
'http://localhost:18080/logPage/self?logType=../../../../../../../etc/nfs.conf' 
| grep NFS
    ```
    
    ### Was this patch authored or co-authored using generative AI tooling?
    
    No
    
    Closes #45006 from dongjoon-hyun/SPARK-46965.
    
    Authored-by: Dongjoon Hyun <dh...@apple.com>
    Signed-off-by: Dongjoon Hyun <dh...@apple.com>
---
 core/src/main/scala/org/apache/spark/deploy/Utils.scala | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/src/main/scala/org/apache/spark/deploy/Utils.scala 
b/core/src/main/scala/org/apache/spark/deploy/Utils.scala
index 9bbcc9f314b2..32328ae1e07a 100644
--- a/core/src/main/scala/org/apache/spark/deploy/Utils.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/Utils.scala
@@ -32,6 +32,7 @@ import org.apache.spark.util.logging.RollingFileAppender
  */
 private[deploy] object Utils extends Logging {
   val DEFAULT_BYTES = 100 * 1024
+  val SUPPORTED_LOG_TYPES = Set("stderr", "stdout", "out")
 
   def addRenderLogHandler(page: WebUI, conf: SparkConf): Unit = {
     page.attachHandler(createServletHandler("/log",
@@ -58,6 +59,9 @@ private[deploy] object Utils extends Logging {
       logType: String,
       offsetOption: Option[Long],
       byteLength: Int): (String, Long, Long, Long) = {
+    if (!SUPPORTED_LOG_TYPES.contains(logType)) {
+      return ("Error: Log type must be one of " + 
SUPPORTED_LOG_TYPES.mkString(", "), 0, 0, 0)
+    }
     try {
       // Find a log file name
       val fileName = if (logType.equals("out")) {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org

Reply via email to