airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-231) Remove security issue around `eval` statement in PrestoHook
Date Tue, 14 Jun 2016 12:00:04 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15329370#comment-15329370
] 

ASF subversion and git services commented on AIRFLOW-231:
---------------------------------------------------------

Commit 7d29698b639d9e2060465aa778efb842986df706 in incubator-airflow's branch refs/heads/master
from [~maxime.beauchemin@apache.org]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=7d29698 ]

[AIRFLOW-231] Do not eval user input in PrestoHook

Running `eval` represent a security threat as the interpreter can be
hijacked by the service returning the string getting "evaled", in this
case Presto. It turns out the code I'm changing here was written a long
time ago and misguided, casting a python object to a string and then
evaling it as a useless round trip.

Closes #1584 from mistercrunch/security


> Remove security issue around `eval` statement in PrestoHook
> -----------------------------------------------------------
>
>                 Key: AIRFLOW-231
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-231
>             Project: Apache Airflow
>          Issue Type: Improvement
>            Reporter: Maxime Beauchemin
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message