Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-3611 Support Docker Containers In LinuxContainerExecutor
  3. YARN-8207

Docker container launch use popen have risk of shell expansion

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 3.0.0, 3.1.0, 3.0.1, 3.0.2
    • 3.2.0, 3.1.1
    • yarn-native-services
    • Reviewed

    Description

      Container-executor code utilize a string buffer to construct docker run command, and pass the string buffer to popen for execution. Popen spawn a shell to run the command. Some arguments for docker run are still vulnerable to shell expansion. The possible solution is to convert from char * buffer to string array for execv to avoid shell expansion.

      Attachments

        1. YARN-8207.001.patch
          128 kB
          Eric Yang
        2. YARN-8207.002.patch
          128 kB
          Eric Yang
        3. YARN-8207.003.patch
          126 kB
          Eric Yang
        4. YARN-8207.004.patch
          125 kB
          Eric Yang
        5. YARN-8207.005.patch
          125 kB
          Eric Yang
        6. YARN-8207.006.patch
          125 kB
          Eric Yang
        7. YARN-8207.007.patch
          126 kB
          Eric Yang
        8. YARN-8207.008.patch
          126 kB
          Eric Yang
        9. YARN-8207.009.patch
          127 kB
          Eric Yang
        10. YARN-8207.010.patch
          127 kB
          Eric Yang

        Issue Links

          Activity

            People

              eyang Eric Yang
              eyang Eric Yang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: