[jira] [Created] (SPARK-49923) Spark task execution with Java execution option has an injection problem

Thu, 10 Oct 2024 04:28:05 -0700 

sunjiangwen created SPARK-49923:
-----------------------------------

             Summary: Spark task execution with Java execution option has an 
injection problem
                 Key: SPARK-49923
                 URL: https://issues.apache.org/jira/browse/SPARK-49923
             Project: Spark
          Issue Type: Bug
          Components: YARN
    Affects Versions: 3.5.3
            Reporter: sunjiangwen


# We use spark to perform periodic calculation through Spark tasks preset in 
our system, and use the calculation results for reporting systemdisplay;
 # Due to difference data traffic model in different cities, we provide a 
webportal maintenance page, so that the maintenance staff could dynamically 
adjust parameters according to the actual situation. the maintenance staff only 
can set parameters for preset tasks, do not have right to access the 
workstation or  run command on workstation. 
 # The security department of the company finds that there has a risk of 
command injection in the webportal, which may cause maintenance staff to obtain 
the workstation permission or run command on workstation, so the security 
department expects us to solvethis problem.

For example, if someone input special injection characters (' touch$IFS+ 
command, $IFS is linux command, $IFS specifies a space by default), then the 
injection will happen on the workstation.
 # Enter special characters like touch$IFS+command and pass them to the Spark: 
!image-2024-10-10-19-22-53-500.png!
 # The workstation was successfully injected and the /tmp/zz34 file be created: 
!image-2024-10-10-19-21-27-139.png!
 # ExtraJavaOptions parameter was set by the sparkLauncher. setConf method 
submit the Spark program. Yarn task submission page displays that the 
parameters was passed to the Spark by spark.driver.extra.javaOptions parameter: 
!image-2024-10-10-19-23-56-499.png!
 # We read the spark source code and found that Spark provides security 
protection for data such as memory parameters, but does not provide security 
protection for extraJavaParam parameter. In view of the above situation, does 
Spark have security risks? What do you think of this scenario. Can Spark add 
keyword filtering (such as filtering the $IFSabnormal injection strings) for 
extraJavaParam parameters to improve the security of Spark. For example, filter 
exception characters before javaOpts is used: 
!image-2024-10-10-19-24-27-684.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to