Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-19334

Fix the code injection vulnerability related to Generator functions.

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersStop watchingWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 2.2.0
    • 2.2.0
    • SQL
    • None

    Description

      Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
      In GenerateExec#codeGenAccessor, a variable name is created like as follows.

      val value = ctx.freshName(name)
      

      The variable `value` is named based on the value of the variable `name` and the value of `name` is from schema given by user so an attacker can attack with queries like as follows.

      SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))
      

      In the example above, a RuntimeException is thrown but attacker can replace it with arbitrary code.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sarutak Kousuke Saruta Assign to me
            sarutak Kousuke Saruta
            Votes:
            0 Vote for this issue
            Watchers:
            4 Stop watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment