[SENTRY-2533] The UDF in_file should be blacked default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.0
Fix Version/s: 2.2.0
Component/s: Sentry
Labels:
- security

Description

~~HIVE-20420~~(CVE-2018-11777) introduced a fallback authorizer factory which disallowed some builtin UDFs such as java_method, reflect, reflect2 and in_file. But Sentry does not black in_file up to now, so a malicious user can use in_file in SQL queries to detect some specific files on the HS2 host, or to detect whether a specific file has specific content. in_file should be added to HIVE_UDF_BLACK_LIST.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-2533.001.patch
21/Sep/19 06:46
3 kB
Wenchao Li
SENTRY-2533.001.patch
21/Sep/19 11:10
3 kB
Wenchao Li
SENTRY-2533.001.patch
22/Sep/19 07:35
3 kB
Wenchao Li
SENTRY-2533.001.patch
22/Sep/19 08:22
3 kB
Wenchao Li

Issue Links

links to

Review Board Link

Activity

People

Assignee:: Wenchao Li

Reporter:: Wenchao Li

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Sep/19 12:51

Updated:: 12/Dec/19 19:59

Resolved:: 12/Dec/19 19:59