[
https://issues.apache.org/jira/browse/SPARK-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kousuke Saruta updated SPARK-19334:
-----------------------------------
Affects Version/s: (was: 2.1.0)
2.2.0
> Fix the code injection vulnerability related to Generator functions.
> --------------------------------------------------------------------
>
> Key: SPARK-19334
> URL: https://issues.apache.org/jira/browse/SPARK-19334
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 2.2.0
> Reporter: Kousuke Saruta
> Assignee: Kousuke Saruta
> Priority: Blocker
> Fix For: 2.2.0
>
>
> Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The
> root cause is how variable names are created by codegen.
> In GenerateExec#codeGenAccessor, a variable name is created like as follows.
> {code}
> val value = ctx.freshName(name)
> {code}
> The variable `value` is named based on the value of the variable `name` and
> the value of `name` is from schema given by user so an attacker can attack
> with queries like as follows.
> {code}
> SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public
> void f() {throw new RuntimeException("This exception is injected.");} public
> int x;}.x`:int>)))
> {code}
> In the example above, a RuntimeException is thrown but attacker can replace
> it with arbitrary code.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
