Hello Everyone, As we all know, Apache Zeppelin is, by design, a remote code execution platform. There are some cases where this does not apply, but for a lot of script-style interpreters, the whole point is for the user to run code on the server. If there is a problem with the shell interpreter, there is also one with python, java, and many others. And this is the same for Jupyter, by the way.
If someone files a bug with 'I can run shell, it's a vulnerability' when using shell interpreter, it seems to be they are not properly aware of the intended use of the system, and the documentation around this may need to be pushed more in front so they are aware. Alternative would be to rm -rf​ all script interpreters? Which would defeat most of the purpose of the platform. My suggestion would be to contest the CVE, works as expected and republish shell interpreter. Cheers, Michiel ________________________________ From: Jongyoul Lee <jongy...@gmail.com> Sent: Thursday, April 11, 2024 11:39 To: users <users@zeppelin.apache.org>; dev <d...@zeppelin.apache.org> Subject: [External] : [DISCUSS] Shell interpreter Hello, I want to discuss Shell interpreter issue with you. For your information, we had a security report using Shell interpreter to execute malicious code with a system account. As you know, it's a kind of characteristic of Apache Zeppelin but some contributors including me thought it was too risky even if it's a feature. Moreover, I thought that we had some workarounds to do similar executions. However, after releasing it, there were many questions via several channels about the deprecation of Shell interpreter. I would like to follow the community's decision. For one more piece of information, we already have a security page to warn the code execution feature so we can keep the Shell interpreter without any further treatment. Could you please give me your opinion on this? If we conclude keeping it, I'll release a new release of 0.11.2 including Shell interpreter again. Best regards, Jongyoul Lee
