Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPARK-19334][SQL]Fix the code injection vulnerability related to Generator functions. #16681

Closed
wants to merge 2 commits into from
Closed

[SPARK-19334][SQL]Fix the code injection vulnerability related to Generator functions. #16681

wants to merge 2 commits into from

Conversation

sarutak
Copy link
Member

@sarutak sarutak commented Jan 23, 2017
edited
Loading

What changes were proposed in this pull request?

Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
In GenerateExec#codeGenAccessor, a variable name is created like as follows.

val value = ctx.freshName(name)

The variable value is named based on the value of the variable name and the value of name is from schema given by users so an attacker can attack with queries like as follows.

SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))

In the example above, a RuntimeException is thrown but an attacker can replace it with arbitrary code.

How was this patch tested?

Added a new test case.

hvanhovell
hvanhovell reviewed Jan 23, 2017
View reviewed changes
sql/core/src/main/scala/org/apache/spark/sql/execution/GenerateExec.scala
s"st_col${i}",
i.toString,
f.dataType,
f.nullable, fieldChecks)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: new line.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I've fixed it.

hvanhovell
hvanhovell approved these changes Jan 23, 2017
View reviewed changes
Copy link
Contributor

@hvanhovell hvanhovell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

One style nit. LGTM - pending jenkins.

@SparkQA
Copy link

SparkQA commented Jan 23, 2017

Test build #71857 has finished for PR 16681 at commit 2ae7efc.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@SparkQA
Copy link

SparkQA commented Jan 23, 2017

Test build #71859 has finished for PR 16681 at commit c01e077.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@SparkQA
Copy link

SparkQA commented Jan 24, 2017

Test build #71883 has finished for PR 16681 at commit 081d4ef.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@hvanhovell
Copy link
Contributor

LGTM. Merging to master. Thanks!

@asfgit asfgit closed this in 15ef374 Jan 24, 2017
uzadude pushed a commit to uzadude/spark that referenced this pull request Jan 27, 2017
@sarutak @uzadude
[SPARK-19334][SQL] Fix the code injection vulnerability related to Ge…
f343092 
…nerator functions.

## What changes were proposed in this pull request?

Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
In GenerateExec#codeGenAccessor, a variable name is created like as follows.

```
val value = ctx.freshName(name)
```

The variable `value` is named based on the value of the variable `name` and the value of `name` is from schema given by users so an attacker can attack with queries like as follows.

```
SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))
```

In the example above, a RuntimeException is thrown but an attacker can replace it with arbitrary code.

## How was this patch tested?

Added a new test case.

Author: Kousuke Saruta <sarutak@oss.nttdata.co.jp>

Closes apache#16681 from sarutak/SPARK-19334.
cmonkey pushed a commit to cmonkey/spark that referenced this pull request Feb 15, 2017
@sarutak @cmonkey
[SPARK-19334][SQL] Fix the code injection vulnerability related to Ge…
5046ddd 
…nerator functions.

## What changes were proposed in this pull request?

Similar to SPARK-15165, codegen is in danger of arbitrary code injection. The root cause is how variable names are created by codegen.
In GenerateExec#codeGenAccessor, a variable name is created like as follows.

```
val value = ctx.freshName(name)
```

The variable `value` is named based on the value of the variable `name` and the value of `name` is from schema given by users so an attacker can attack with queries like as follows.

```
SELECT inline(array(cast(struct(1) AS struct<`=new Object() { {f();} public void f() {throw new RuntimeException("This exception is injected.");} public int x;}.x`:int>)))
```

In the example above, a RuntimeException is thrown but an attacker can replace it with arbitrary code.

## How was this patch tested?

Added a new test case.

Author: Kousuke Saruta <sarutak@oss.nttdata.co.jp>

Closes apache#16681 from sarutak/SPARK-19334.
@sarutak sarutak deleted the SPARK-19334 branch June 4, 2021 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvanhovell hvanhovell hvanhovell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sarutak @SparkQA @hvanhovell