This is an automated email from the ASF dual-hosted git repository.
gurwls223 pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.1 by this push:
new ee1d0c82311 [SPARK-38992][CORE] Avoid using bash -c in
ShellBasedGroupsMappingProvider
ee1d0c82311 is described below
commit ee1d0c82311e2caebf665e05f3c10d02cbfae196
Author: Hyukjin Kwon <gurwls...@apache.org>
AuthorDate: Fri Apr 22 19:01:05 2022 +0900
[SPARK-38992][CORE] Avoid using bash -c in ShellBasedGroupsMappingProvider
### What changes were proposed in this pull request?
This PR proposes to avoid using `bash -c` in
`ShellBasedGroupsMappingProvider`. This could allow users a command injection.
### Why are the changes needed?
For a security purpose.
### Does this PR introduce _any_ user-facing change?
Virtually no.
### How was this patch tested?
Manually tested.
Closes #36315 from HyukjinKwon/SPARK-38992.
Authored-by: Hyukjin Kwon <gurwls...@apache.org>
Signed-off-by: Hyukjin Kwon <gurwls...@apache.org>
(cherry picked from commit c83618e4e5fc092829a1f2a726f12fb832e802cc)
Signed-off-by: Hyukjin Kwon <gurwls...@apache.org>
---
.../org/apache/spark/security/ShellBasedGroupsMappingProvider.scala | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git
a/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala
b/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala
index f71dd08246b..7ef8ef165e3 100644
---
a/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala
+++
b/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala
@@ -30,6 +30,8 @@ import org.apache.spark.util.Utils
private[spark] class ShellBasedGroupsMappingProvider extends
GroupMappingServiceProvider
with Logging {
+ private lazy val idPath = Utils.executeAndGetOutput("which" :: "id" ::
Nil).stripLineEnd
+
override def getGroups(username: String): Set[String] = {
val userGroups = getUnixGroups(username)
logDebug("User: " + username + " Groups: " + userGroups.mkString(","))
@@ -38,8 +40,7 @@ private[spark] class ShellBasedGroupsMappingProvider extends
GroupMappingService
// shells out a "bash -c id -Gn username" to get user groups
private def getUnixGroups(username: String): Set[String] = {
- val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
// we need to get rid of the trailing "\n" from the result of command
execution
- Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
+ Utils.executeAndGetOutput(idPath :: "-Gn" :: username ::
Nil).stripLineEnd.split(" ").toSet
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org
