Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:chajain:branches:Cloud:Openstack:Master
spark
CVE-2022-33891.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2022-33891.patch of Package spark
commit c83618e4e5fc092829a1f2a726f12fb832e802cc Author: Hyukjin Kwon <gurwls223@apache.org> Date: Fri Apr 22 19:01:05 2022 +0900 [SPARK-38992][CORE] Avoid using bash -c in ShellBasedGroupsMappingProvider ### What changes were proposed in this pull request? This PR proposes to avoid using `bash -c` in `ShellBasedGroupsMappingProvider`. This could allow users a command injection. ### Why are the changes needed? For a security purpose. ### Does this PR introduce _any_ user-facing change? Virtually no. ### How was this patch tested? Manually tested. Closes #36315 from HyukjinKwon/SPARK-38992. Authored-by: Hyukjin Kwon <gurwls223@apache.org> Signed-off-by: Hyukjin Kwon <gurwls223@apache.org> diff --git a/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala b/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala index f71dd08246..7ef8ef165e 100644 --- a/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala +++ b/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala @@ -30,6 +30,8 @@ import org.apache.spark.util.Utils private[spark] class ShellBasedGroupsMappingProvider extends GroupMappingServiceProvider with Logging { + private lazy val idPath = Utils.executeAndGetOutput("which" :: "id" :: Nil).stripLineEnd + override def getGroups(username: String): Set[String] = { val userGroups = getUnixGroups(username) logDebug("User: " + username + " Groups: " + userGroups.mkString(",")) @@ -38,8 +40,7 @@ private[spark] class ShellBasedGroupsMappingProvider extends GroupMappingService // shells out a "bash -c id -Gn username" to get user groups private def getUnixGroups(username: String): Set[String] = { - val cmdSeq = Seq("bash", "-c", "id -Gn " + username) // we need to get rid of the trailing "\n" from the result of command execution - Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet + Utils.executeAndGetOutput(idPath :: "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor