Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-15165

Codegen can break because toCommentSafeString is not actually safe

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.5.2, 1.6.1, 2.0.0
    • 1.6.2, 2.0.0
    • SQL
    • None

    Description

      toCommentSafeString method replaces "\u" with "\ \u" to avoid codegen breaking.
      But if the even number of "\" is put before "u", like "\ \u", in the string literal in the query, codegen can break.

      Following code causes compilation error.

      val df = Seq(...).toDF
df.select("'\\\\\\\\u002A/'").show

      The reason of the compilation error is because "\\\\\\\\u002A/" is translated into "*/" (the end of comment).

      Due to this unsafety, arbitrary code can be injected like as follows.

      val df = Seq(...).toDF
// Inject "System.exit(1)"
df.select("'\\\\\\\\u002A/{System.exit(1);}/*'").show

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. SPARK-11352 codegen.GeneratePredicate fails due to unquoted comment

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. SPARK-12138 Escape \u in the generated comments.

          • Major - Major loss of function.
          • Resolved
          links to

          Pull request #12939 [Github] Pull Request #12939 (sarutak)

          Pull request #12979 [Github] Pull Request #12979 (sarutak)

          Pull request #13230 [Github] Pull Request #13230 (sarutak)

          Activity

            People

              sarutak Kousuke Saruta
              sarutak Kousuke Saruta
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: