[
https://issues.apache.org/jira/browse/SENTRY-2533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenchao Li updated SENTRY-2533:
-------------------------------
Description: HIVE-20420(CVE-2018-11777) introduced a fallback authorizer
factory which disallowed some builtin UDFs such as java_method, reflect,
reflect2 and in_file. But Sentry does not black in_file up to now, so a
malicious user can use in_file in SQL queries to detect some specific files on
the HS2 host, or to detect whether a specific file has specific content.
in_file should be added to HIVE_UDF_BLACK_LIST. (was:
HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
disallowed some builtin UDFS such as java_method, reflect, reflect2 and
in_file. But Sentry does not black in_file up to now, so a malicious user can
use in_file in SQL queries to detect some specific files on the HS2 host, or to
detect whether a specific file has specific content. in_file should be added to
HIVE_UDF_BLACK_LIST.)
> The UDF in_file should be blacked defaultly
> -------------------------------------------
>
> Key: SENTRY-2533
> URL: https://issues.apache.org/jira/browse/SENTRY-2533
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Wenchao Li
> Priority: Major
> Labels: security
>
> HIVE-20420(CVE-2018-11777) introduced a fallback authorizer factory which
> disallowed some builtin UDFs such as java_method, reflect, reflect2 and
> in_file. But Sentry does not black in_file up to now, so a malicious user can
> use in_file in SQL queries to detect some specific files on the HS2 host, or
> to detect whether a specific file has specific content. in_file should be
> added to HIVE_UDF_BLACK_LIST.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
