[ https://issues.apache.org/jira/browse/SPARK-19334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15836841#comment-15836841 ]
Kousuke Saruta commented on SPARK-19334: ---------------------------------------- [~hvanhovell] Thanks. The affects version was also 2.2.0(SNAPSHOT) so I've changed. > Fix the code injection vulnerability related to Generator functions. > -------------------------------------------------------------------- > > Key: SPARK-19334 > URL: https://issues.apache.org/jira/browse/SPARK-19334 > Project: Spark > Issue Type: Bug > Components: SQL > Affects Versions: 2.2.0 > Reporter: Kousuke Saruta > Assignee: Kousuke Saruta > Priority: Blocker > Fix For: 2.2.0 > > > Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The > root cause is how variable names are created by codegen. > In GenerateExec#codeGenAccessor, a variable name is created like as follows. > {code} > val value = ctx.freshName(name) > {code} > The variable `value` is named based on the value of the variable `name` and > the value of `name` is from schema given by user so an attacker can attack > with queries like as follows. > {code} > SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public > void f() {throw new RuntimeException("This exception is injected.");} public > int x;}.x`:int>))) > {code} > In the example above, a RuntimeException is thrown but attacker can replace > it with arbitrary code. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org