[
https://issues.apache.org/jira/browse/SPARK-49923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
sunjiangwen updated SPARK-49923:
--------------------------------
Attachment: inject.png
> Spark task execution with Java execution option has an injection problem
> ------------------------------------------------------------------------
>
> Key: SPARK-49923
> URL: https://issues.apache.org/jira/browse/SPARK-49923
> Project: Spark
> Issue Type: Bug
> Components: YARN
> Affects Versions: 3.5.3
> Reporter: sunjiangwen
> Priority: Major
> Attachments: inject.png
>
>
> # We use spark to perform periodic calculation through Spark tasks preset in
> our system, and use the calculation results for reporting systemdisplay;
> # Due to difference data traffic model in different cities, we provide a
> webportal maintenance page, so that the maintenance staff could dynamically
> adjust parameters according to the actual situation. the maintenance staff
> only can set parameters for preset tasks, do not have right to access the
> workstation or run command on workstation.
> # The security department of the company finds that there has a risk of
> command injection in the webportal, which may cause maintenance staff to
> obtain the workstation permission or run command on workstation, so the
> security department expects us to solvethis problem.
> For example, if someone input special injection characters (' touch$IFS+
> command, $IFS is linux command, $IFS specifies a space by default), then the
> injection will happen on the workstation.
> # Enter special characters like touch$IFS+command and pass them to the
> Spark: !image-2024-10-10-19-22-53-500.png!
> # The workstation was successfully injected and the /tmp/zz34 file be
> created: !image-2024-10-10-19-21-27-139.png!
> # ExtraJavaOptions parameter was set by the sparkLauncher. setConf method
> submit the Spark program. Yarn task submission page displays that the
> parameters was passed to the Spark by spark.driver.extra.javaOptions
> parameter: !image-2024-10-10-19-23-56-499.png!
> # We read the spark source code and found that Spark provides security
> protection for data such as memory parameters, but does not provide security
> protection for extraJavaParam parameter. In view of the above situation, does
> Spark have security risks? What do you think of this scenario. Can Spark add
> keyword filtering (such as filtering the $IFSabnormal injection strings) for
> extraJavaParam parameters to improve the security of Spark. For example,
> filter exception characters before javaOpts is used:
> !image-2024-10-10-19-24-27-684.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
