[
https://issues.apache.org/jira/browse/SPARK-49923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17888619#comment-17888619
]
sunjiangwen edited comment on SPARK-49923 at 10/11/24 12:02 PM:
----------------------------------------------------------------
[~cloud_fan] [~prashanthmenon] [~joshrosen] for this issue, my solution is to
add a configuration item, which is similar to adding a pure mode for JVM
parameters. This configuration item is disabled by default. If you do not need
to customize JVM parameters, you can enable this parameter. JVM parameters
cannot be configured, which prevents command injection.
JVM parameters include: {*}spark.driver.defaultJavaOptions{*},
{*}spark.driver.extraJavaOptions{*}, *spark.executor.defaultJavaOptions* and
{*}spark.executor.extraJavaOptions{*}.
The advantage is that this configuration item can completely prevent command
injection in this case, which is more secure when custom JVM parameters are not
required.
was (Author: JIRAUSER307219):
[~cloud_fan] [~prashanthmenon] [~joshrosen] for this issue, my solution is to
add a configuration item, which is similar to adding a pure mode for JVM
parameters. This configuration item is disabled by default. If you do not need
to customize JVM parameters, you can enable this parameter. JVM parameters
cannot be configured, which prevents command injection.
JVM parameters include: spark.driver.defaultJavaOptions,
spark.driver.extraJavaOptions, spark.executor.defaultJavaOptions and
spark.executor.extraJavaOptions.
The advantage is that this configuration item can completely prevent command
injection in this case, which is more secure when custom JVM parameters are not
required.
> Spark task execution with Java execution option has an injection problem
> ------------------------------------------------------------------------
>
> Key: SPARK-49923
> URL: https://issues.apache.org/jira/browse/SPARK-49923
> Project: Spark
> Issue Type: Bug
> Components: YARN
> Affects Versions: 3.5.3
> Reporter: sunjiangwen
> Priority: Major
> Attachments: inject.png, srcfilter.PNG, yarn.PNG
>
>
> 1. We use spark to perform periodic calculation through Spark tasks preset in
> our system, and use the calculation results for reporting systemdisplay;
> 2. Due to difference data traffic model in different cities, we provide a
> webportal maintenance page, so that the maintenance staff could dynamically
> adjust parameters according to the actual situation. the maintenance staff
> only can set parameters for preset tasks, do not have right to access the
> workstation or run command on workstation.
> 3. The security department of the company finds that there has a risk of
> command injection in the webportal, which may cause maintenance staff to
> obtain the workstation permission or run command on workstation, so the
> security department expects us to solve this problem.
> For example, if someone input special injection characters (' touch$IFS+
> command, $IFS is linux command, $IFS specifies a space by default), then the
> injection will happen on the workstation.
> 1.Enter special characters like touch$IFS+command and pass them to the Spark
> 2.The workstation was successfully injected and the /tmp/zz34 file be
> created:
> !inject.png!
> 3.ExtraJavaOptions parameter was set by the sparkLauncher. setConf method
> submit the Spark program. Yarn task submission page displays that the
> parameters was passed to the Spark by spark.driver.extra.javaOptions
> parameter:
> !yarn.PNG!
> 4.We read the spark source code and found that Spark provides security
> protection for data such as memory parameters, but does not provide security
> protection for extraJavaParam parameter. In view of the above situation, does
> Spark have security risks? What do you think of this scenario?
> !srcfilter.PNG!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
