This is an automated email from the ASF dual-hosted git repository. srowen pushed a commit to branch branch-3.3 in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.3 by this push: new 4aa88606295 [SPARK-42922][SQL] Move from Random to SecureRandom 4aa88606295 is described below commit 4aa886062952d715118c92bcb581e8a4f60ccc0a Author: Mridul Muralidharan <mridulatgmail.com> AuthorDate: Mon Mar 27 22:48:05 2023 -0500 [SPARK-42922][SQL] Move from Random to SecureRandom ### What changes were proposed in this pull request? Most uses of `Random` in spark are either in testcases or where we need a pseudo random number which is repeatable. Use `SecureRandom`, instead of `Random` for the cases where it impacts security. ### Why are the changes needed? Use of `SecureRandom` in more security sensitive contexts. This was flagged in our internal scans as well. ### Does this PR introduce _any_ user-facing change? Directly no. Would improve security posture of Apache Spark. ### How was this patch tested? Existing unit tests Closes #40568 from mridulm/SPARK-42922. Authored-by: Mridul Muralidharan <mridulatgmail.com> Signed-off-by: Sean Owen <sro...@gmail.com> (cherry picked from commit 744434358cb0c687b37d37dd62f2e7d837e52b2d) Signed-off-by: Sean Owen <sro...@gmail.com> --- .../src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java | 5 +++-- .../java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java index 4183cba0c68..08a8258db06 100644 --- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java +++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java @@ -20,11 +20,11 @@ package org.apache.hive.service.auth; import java.security.AccessControlContext; import java.security.AccessController; import java.security.PrivilegedExceptionAction; +import java.security.SecureRandom; import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.Map; -import java.util.Random; import java.util.Set; import java.util.StringTokenizer; @@ -57,6 +57,7 @@ public final class HttpAuthUtils { private static final String COOKIE_KEY_VALUE_SEPARATOR = "="; private static final Set<String> COOKIE_ATTRIBUTES = new HashSet<String>(Arrays.asList(COOKIE_CLIENT_USER_NAME, COOKIE_CLIENT_RAND_NUMBER)); + private static final SecureRandom random = new SecureRandom(); /** * @return Stringified Base64 encoded kerberosAuthHeader on success @@ -95,7 +96,7 @@ public final class HttpAuthUtils { sb.append(COOKIE_CLIENT_USER_NAME).append(COOKIE_KEY_VALUE_SEPARATOR).append(clientUserName) .append(COOKIE_ATTR_SEPARATOR); sb.append(COOKIE_CLIENT_RAND_NUMBER).append(COOKIE_KEY_VALUE_SEPARATOR) - .append((new Random(System.currentTimeMillis())).nextLong()); + .append(random.nextLong()); return sb.toString(); } diff --git a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index f0f5cdcd38f..712b1d49eac 100644 --- a/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/sql/hive-thriftserver/src/main/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -20,8 +20,8 @@ package org.apache.hive.service.cli.thrift; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.PrivilegedExceptionAction; +import java.security.SecureRandom; import java.util.Map; -import java.util.Random; import java.util.Set; import java.util.concurrent.TimeUnit; @@ -76,7 +76,7 @@ public class ThriftHttpServlet extends TServlet { // Class members for cookie based authentication. private CookieSigner signer; public static final String AUTH_COOKIE = "hive.server2.auth"; - private static final Random RAN = new Random(); + private static final SecureRandom RAN = new SecureRandom(); private boolean isCookieAuthEnabled; private String cookieDomain; private String cookiePath; --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org For additional commands, e-mail: commits-h...@spark.apache.org