[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16174567#comment-16174567 ] Andras Piros commented on OOZIE-3063: - Good idea [~dionusos]! Any ideas / wishes what to filter? > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16174576#comment-16174576 ] Denes Bodo commented on OOZIE-3063: --- [~andras.piros] I'll provide code later today. Oozie should check for integer values and url to avoid accidentally written SQL statements in connection properties. > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16174628#comment-16174628 ] Peter Cseh commented on OOZIE-3063: --- I've tried to poke around this in OOZIE-2608, you might find interesting stuff in that issue's comments. > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo >Assignee: Denes Bodo > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[
https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176145#comment-16176145
]
Peter Cseh commented on OOZIE-3063:
---
Thanks for the patch!
# JDBC URLs can contain commas, e.g. in case of mysql replication. See
OOZIE-2574 for details.
# Pleae validate {{maxConn}} as well to be an integer. Also, create a
validation function for this and use that.
# Should we check if {{driver}} is on the classpath or not?
> Sanitizing variables that are part of openjpa.ConnectionProperties
> --
>
> Key: OOZIE-3063
> URL: https://issues.apache.org/jira/browse/OOZIE-3063
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 4.2.0
>Reporter: Denes Bodo
>Assignee: Denes Bodo
> Attachments:
> 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch
>
>
> There are values from oozie-site.xml which are not properly checked before
> they are passed into a comma-separated string property in JPAService class.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176262#comment-16176262 ] Denes Bodo commented on OOZIE-3063: --- [~gezapeti] As I see the ConfigurationService class has static methods to read configuration. We can get int values, which is OK, but the methods can not throw ~"NumberFormatException", but fall back to default 0 value. Should I extend the getter to be able to sign problem with number format or should I use a separated checker method? I prefer the first option. Driver on classpath should be checked, I agree. > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo >Assignee: Denes Bodo > Attachments: > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch > > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[
https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176313#comment-16176313
]
Peter Cseh commented on OOZIE-3063:
---
We don't really need the integers though as we're building a string to pass to
JPA. You just can extract the try{}catch logic to a verifyInteger function to
handle the verification. I don't recommend changing the ConfigurationServices
behavior for this issue as that can have a huge impact on the whole project.
> Sanitizing variables that are part of openjpa.ConnectionProperties
> --
>
> Key: OOZIE-3063
> URL: https://issues.apache.org/jira/browse/OOZIE-3063
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 4.2.0
>Reporter: Denes Bodo
>Assignee: Denes Bodo
> Attachments:
> 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch
>
>
> There are values from oozie-site.xml which are not properly checked before
> they are passed into a comma-separated string property in JPAService class.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176443#comment-16176443 ] Peter Cseh commented on OOZIE-3063: --- Oh, please provide a patch file created with git diff instead of format-patch as our pre-commit hook won't work with this. Also please give the files different names (like OOZIE-3063.001.patch, OOZIE-3063.002.patch). I don't think our pre-commit job likes files with the same names. After that you can move the task to "Patch available" status by clicking on the "Submit patch" button up there. Thanks > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo >Assignee: Denes Bodo > Attachments: > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch > > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[
https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176641#comment-16176641
]
Hadoop QA commented on OOZIE-3063:
--
Testing JIRA OOZIE-3063
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:green}+1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:green}+1{color} the patch does adds/modifies 1 testcase(s)
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
.{color:red}WARNING{color}: the current HEAD has 77 Javadoc warning(s)
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:orange}0{color} There are [1] new bugs found in total that would be nice
to have fixed.
. {color:green}+1{color} There are no new bugs found in [server].
. {color:green}+1{color} There are no new bugs found in [client].
. {color:orange}0{color} There are [1] new bugs found in [core] that would be
nice to have fixed.
. You can find the FindBugs diff here: core/findbugs-new.html
. {color:green}+1{color} There are no new bugs found in [docs].
. {color:green}+1{color} There are no new bugs found in [tools].
. {color:green}+1{color} There are no new bugs found in [examples].
. {color:green}+1{color} There are no new bugs found in [sharelib/streaming].
. {color:green}+1{color} There are no new bugs found in [sharelib/sqoop].
. {color:green}+1{color} There are no new bugs found in [sharelib/distcp].
. {color:green}+1{color} There are no new bugs found in [sharelib/oozie].
. {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive2].
. {color:green}+1{color} There are no new bugs found in [sharelib/pig].
. {color:green}+1{color} There are no new bugs found in [sharelib/spark].
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:green}+1 TESTS{color}
.Tests run: 2039
.Tests rerun: 70
.Tests failed at first run:
org.apache.oozie.test.TestXTestCase,org.apache.oozie.action.hadoop.TestJavaActionExecutor,org.apache.oozie.jms.TestJMSJobEventListener,
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:green}*+1 Overall result, good!, no -1s*{color}
{color:red}. There is at least one warning, please check{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/PreCommit-OOZIE-Build/46/
> Sanitizing variables that are part of openjpa.ConnectionProperties
> --
>
> Key: OOZIE-3063
> URL: https://issues.apache.org/jira/browse/OOZIE-3063
> Project: Oozie
> Issue Type: Bug
> Components: core
>Affects Versions: 4.2.0
>Reporter: Denes Bodo
>Assignee: Denes Bodo
> Fix For: 5.0.0
>
> Attachments:
> 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch,
> 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch,
> OOZIE-3063.003.patch
>
>
> There are values from oozie-site.xml which are not properly checked before
> they are passed into a comma-separated string property in JPAService class.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16178013#comment-16178013 ] Peter Bacsko commented on OOZIE-3063: - [~dionusos] please create a ReviewBoard review from patch v3 because it's easier to add comments that way. > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo >Assignee: Denes Bodo > Fix For: 5.0.0 > > Attachments: > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > OOZIE-3063.003.patch > > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808768#comment-16808768 ] Andras Salamon commented on OOZIE-3063: --- What is the status of this patch? Are you still working on it [~dionusos]? > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo >Assignee: Denes Bodo >Priority: Major > Attachments: > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > OOZIE-3063.003.patch > > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[ https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808772#comment-16808772 ] Hadoop QA commented on OOZIE-3063: -- PreCommit-OOZIE-Build started > Sanitizing variables that are part of openjpa.ConnectionProperties > -- > > Key: OOZIE-3063 > URL: https://issues.apache.org/jira/browse/OOZIE-3063 > Project: Oozie > Issue Type: Bug > Components: core >Affects Versions: 4.2.0 >Reporter: Denes Bodo >Assignee: Denes Bodo >Priority: Major > Attachments: > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > 0001-OOZIE-3063-Sanitizing-variables-that-are-part-of-ope.patch, > OOZIE-3063.003.patch > > > There are values from oozie-site.xml which are not properly checked before > they are passed into a comma-separated string property in JPAService class. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OOZIE-3063) Sanitizing variables that are part of openjpa.ConnectionProperties
[
https://issues.apache.org/jira/browse/OOZIE-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808884#comment-16808884
]
Hadoop QA commented on OOZIE-3063:
--
Testing JIRA OOZIE-3063
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:green}+1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any star imports
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:green}+1{color} the patch adds/modifies 1 testcase(s)
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} Javadoc generation succeeded with the patch
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warning(s)
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:red}-1{color} There are [21] new bugs found below threshold in total
that must be fixed.
.{color:green}+1{color} There are no new bugs found in [sharelib/hive2].
.{color:green}+1{color} There are no new bugs found in [sharelib/spark].
.{color:green}+1{color} There are no new bugs found in [sharelib/oozie].
.{color:green}+1{color} There are no new bugs found in [sharelib/pig].
.{color:green}+1{color} There are no new bugs found in [sharelib/streaming].
.{color:green}+1{color} There are no new bugs found in [sharelib/hive].
.{color:green}+1{color} There are no new bugs found in [sharelib/distcp].
.{color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
.{color:green}+1{color} There are no new bugs found in [sharelib/sqoop].
.{color:green}+1{color} There are no new bugs found in [sharelib/git].
.{color:green}+1{color} There are no new bugs found in [client].
.{color:green}+1{color} There are no new bugs found in [docs].
.{color:red}-1{color} There are [15] new bugs found below threshold in
[tools] that must be fixed, listing only the first [5] ones.
.You can find the SpotBugs diff here (look for the red and orange ones):
tools/findbugs-new.html
.The top [5] most important SpotBugs errors are:
.At OozieDBCLI.java:[line 578]: This use of
java/sql/Statement.executeUpdate(Ljava/lang/String;)I can be vulnerable to SQL
injection
.At OozieDBCLI.java:[line 568]: At OozieDBCLI.java:[line 567]
.At OozieDBCLI.java:[line 571]: At OozieDBCLI.java:[line 569]
.At OozieDBCLI.java:[line 573]: At OozieDBCLI.java:[line 572]
.At OozieDBCLI.java:[line 578]: At OozieDBCLI.java:[line 575]
.{color:green}+1{color} There are no new bugs found in
[fluent-job/fluent-job-api].
.{color:green}+1{color} There are no new bugs found in [server].
.{color:green}+1{color} There are no new bugs found in [webapp].
.{color:green}+1{color} There are no new bugs found in [examples].
.{color:red}-1{color} There are [6] new bugs found below threshold in
[core] that must be fixed, listing only the first [5] ones.
.You can find the SpotBugs diff here (look for the red and orange ones):
core/findbugs-new.html
.The top [5] most important SpotBugs errors are:
.At BulkJPAExecutor.java:[line 207]: This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection
.At BulkJPAExecutor.java:[line 177]: At BulkJPAExecutor.java:[line 176]
.At BulkJPAExecutor.java:[line 206]: At BulkJPAExecutor.java:[line 200]
.This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 207]
.At BulkJPAExecutor.java:[line 112]: At BulkJPAExecutor.java:[line 128]
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:green}+1 TESTS{color}
.Tests run: 3176
.{color:orange}Tests failed at first run:{color}
TestIntegrationGitActionExecutor#testWhenRepoIsClonedThenGitIndexContentIsReadSuccessfully
.For the complete list of flaky tests, see TEST-SUMMARY-FULL files.
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is availa
