[GitHub] [hadoop] slfan1989 commented on a diff in pull request #5382: YARN-8972. [Router] Add support to prevent DoS attack over ApplicationSubmissionContext size.

Fri, 17 Feb 2023 21:28:55 -0800 


slfan1989 commented on code in PR #5382:
URL: https://github.com/apache/hadoop/pull/5382#discussion_r1110636193


##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/RouterServerUtil.java:
##########
@@ -624,4 +636,109 @@ public static ReservationDefinition 
convertReservationDefinition(
 
     return definition;
   }
+
+  /**
+   * Checks if the ApplicationSubmissionContext submitted with the application
+   * is valid.
+   *
+   * Current checks:
+   * - if its size is within limits.
+   *
+   * @param appContext the app context to check.
+   * @throws IOException if an IO error occurred.
+   * @throws YarnException yarn exception.
+   */
+  @Public
+  @Unstable
+  public static void 
checkAppSubmissionContext(ApplicationSubmissionContextPBImpl appContext,
+      Configuration conf) throws IOException, YarnException {
+    // Prevents DoS over the ApplicationClientProtocol by checking the context
+    // the application was submitted with for any excessively large fields.
+    long maxAscSize = 
conf.getLong(YarnConfiguration.ROUTER_ASC_INTERCEPTOR_MAX_SIZE,
+        YarnConfiguration.DEFAULT_ROUTER_ASC_INTERCEPTOR_MAX_SIZE);
+    if (appContext != null) {
+      int size = appContext.getProto().getSerializedSize();
+      if (size >= maxAscSize) {
+        logContainerLaunchContext(appContext);
+        String errMsg = "The size of the ApplicationSubmissionContext of the 
application " +
+            appContext.getApplicationId() + " is above the limit. Size= " + 
size;
+        throw new YarnException(errMsg);
+      }
+    }
+  }
+
+  /**
+   * Private helper for checkAppSubmissionContext that logs the fields in the
+   * context for debugging.
+   *
+   * @param appContext the app context.
+   * @throws IOException if an IO error occurred.
+   */
+  @Private
+  @Unstable
+  private static void 
logContainerLaunchContext(ApplicationSubmissionContextPBImpl appContext)
+      throws IOException {
+    if (appContext != null && appContext.getAMContainerSpec() != null) {

Review Comment:
   Thanks for your suggestion, I will modify the code.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to