[ https://issues.apache.org/jira/browse/HAWQ-59?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Goden Yao closed HAWQ-59. ------------------------- Resolution: Not A Problem Fix Version/s: 2.0.0.0-incubating > Path Manipulation: HdfsAnalyzer.java > ------------------------------------ > > Key: HAWQ-59 > URL: https://issues.apache.org/jira/browse/HAWQ-59 > Project: Apache HAWQ > Issue Type: Bug > Components: PXF > Reporter: Goden Yao > Assignee: Goden Yao > Priority: Critical > Labels: Security > Fix For: 2.0.0.0-incubating > > > From security tool scanning: Attackers can control the filesystem path > argument to setInputPaths() at > [HdfsAnalyzer.java|https://github.com/apache/incubator-hawq/blob/master/pxf/pxf-hdfs/src/main/java/com/pivotal/pxf/plugins/hdfs/HdfsAnalyzer.java] > line 128, which allows them to access or modify otherwise protected files. > {code:java} > Ln 128: private ArrayList<InputSplit> getSplits(Path path) throws IOException > { > PxfInputFormat fformat = new PxfInputFormat(); > PxfInputFormat.setInputPaths(jobConf, path); > ... > } > {code} > _setInputPaths()_ uses a parameter passed from user: > {code:java} > Ln 59: @Override > public AnalyzerStats getEstimatedStats(String datapath) throws Exception { > long blockSize = 0; > long numberOfBlocks; > Path *path* = new Path(HdfsUtilities.absoluteDataPath(datapath)); > ArrayList<InputSplit> splits = getSplits(path); > ... > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)