[ https://issues.apache.org/jira/browse/PHOENIX-4189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16159826#comment-16159826 ]
Hadoop QA commented on PHOENIX-4189: ------------------------------------ {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12886224/PHOENIX-4189.001.patch against master branch at commit 2ad5d4b48c16743b3f3968a858f9da19c14070fa. ATTACHMENT ID: 12886224 {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 3 new or modified tests. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:red}-1 lineLengths{color}. The patch introduces the following lines longer than 100: + public static final PrimaryKeyData EMPTY = new PrimaryKeyData(Collections.<String,Object> emptyMap()); + protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException { + throw new InvalidClassException(desc.getName(), "Expected an instance of PrimaryKeyData"); + public static PrimaryKeyData deserialize(InputStream input) throws IOException, ClassNotFoundException { + throw new InvalidClassException(obj == null ? "null" : obj.getClass().getName(), "Disallowed serialized class"); + PrimaryKeyData pkCopy = PrimaryKeyData.deserialize(new ByteArrayInputStream(baos.toByteArray())); {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-PHOENIX-Build/1415//testReport/ Console output: https://builds.apache.org/job/PreCommit-PHOENIX-Build/1415//console This message is automatically generated. > Avoid direct use of ObjectInputStream in Hive integration > --------------------------------------------------------- > > Key: PHOENIX-4189 > URL: https://issues.apache.org/jira/browse/PHOENIX-4189 > Project: Phoenix > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: 4.12.0 > > Attachments: PHOENIX-4189.001.patch > > > Another security scan ding, but not a very big concern. > We use ObjectInputStream to serialize/deserialize a Map which contains the > columns+values of the primary key constraint. The problem with > ObjectInputStream is that it doesn't care what Class it deserializes. If a > malicious user can someone coerce some unknowing user to use an InputSplit > that has this specially crafted class, we can get into an arbitrary code > execution. > https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to > work around this issue in code, but it leaves a bit to be desired. The > ObjectInputStream recursively calls itself as it deserializes the fields in > the Object. By trusting some classes from the packages java.lang, java.util, > and java.sql, I believe we can remove this minor concern. -- This message was sent by Atlassian JIRA (v6.4.14#64029)