Blocker Description
Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
In GenerateExec#codeGenAccessor, a variable name is created like as follows.
val value = ctx.freshName(name)
The variable `value` is named based on the value of the variable `name` and the value of `name` is from schema given by user so an attacker can attack with queries like as follows.
SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))
In the example above, a RuntimeException is thrown but attacker can replace it with arbitrary code.
