[
https://issues.apache.org/jira/browse/PHOENIX-4189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16159826#comment-16159826
]
Hadoop QA commented on PHOENIX-4189:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12886224/PHOENIX-4189.001.patch
against master branch at commit 2ad5d4b48c16743b3f3968a858f9da19c14070fa.
ATTACHMENT ID: 12886224
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 3 new
or modified tests.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines
longer than 100:
+ public static final PrimaryKeyData EMPTY = new
PrimaryKeyData(Collections.<String,Object> emptyMap());
+ protected Class<?> resolveClass(ObjectStreamClass desc) throws
IOException, ClassNotFoundException {
+ throw new InvalidClassException(desc.getName(), "Expected an
instance of PrimaryKeyData");
+ public static PrimaryKeyData deserialize(InputStream input) throws
IOException, ClassNotFoundException {
+ throw new InvalidClassException(obj == null ? "null" :
obj.getClass().getName(), "Disallowed serialized class");
+ PrimaryKeyData pkCopy = PrimaryKeyData.deserialize(new
ByteArrayInputStream(baos.toByteArray()));
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results:
https://builds.apache.org/job/PreCommit-PHOENIX-Build/1415//testReport/
Console output:
https://builds.apache.org/job/PreCommit-PHOENIX-Build/1415//console
This message is automatically generated.
> Avoid direct use of ObjectInputStream in Hive integration
> ---------------------------------------------------------
>
> Key: PHOENIX-4189
> URL: https://issues.apache.org/jira/browse/PHOENIX-4189
> Project: Phoenix
> Issue Type: Bug
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.12.0
>
> Attachments: PHOENIX-4189.001.patch
>
>
> Another security scan ding, but not a very big concern.
> We use ObjectInputStream to serialize/deserialize a Map which contains the
> columns+values of the primary key constraint. The problem with
> ObjectInputStream is that it doesn't care what Class it deserializes. If a
> malicious user can someone coerce some unknowing user to use an InputSplit
> that has this specially crafted class, we can get into an arbitrary code
> execution.
> https://www.ibm.com/developerworks/library/se-lookahead/ outlines a way to
> work around this issue in code, but it leaves a bit to be desired. The
> ObjectInputStream recursively calls itself as it deserializes the fields in
> the Object. By trusting some classes from the packages java.lang, java.util,
> and java.sql, I believe we can remove this minor concern.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
