phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <>
Subject [jira] [Commented] (PHOENIX-4189) Avoid direct use of ObjectInputStream in Hive integration
Date Sat, 09 Sep 2017 07:55:00 GMT


Hadoop QA commented on PHOENIX-4189:

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment
  against master branch at commit 2ad5d4b48c16743b3f3968a858f9da19c14070fa.
  ATTACHMENT ID: 12886224

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 3 new or modified

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:red}-1 lineLengths{color}.  The patch introduces the following lines longer than
    +    public static final PrimaryKeyData EMPTY = new PrimaryKeyData(Collections.<String,Object>
+      protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException
+              throw new InvalidClassException(desc.getName(), "Expected an instance of PrimaryKeyData");
+    public static PrimaryKeyData deserialize(InputStream input) throws IOException, ClassNotFoundException
+            throw new InvalidClassException(obj == null ? "null" : obj.getClass().getName(),
"Disallowed serialized class");
+        PrimaryKeyData pkCopy = PrimaryKeyData.deserialize(new ByteArrayInputStream(baos.toByteArray()));

    {color:green}+1 core tests{color}.  The patch passed unit tests in .

Test results:
Console output:

This message is automatically generated.

> Avoid direct use of ObjectInputStream in Hive integration
> ---------------------------------------------------------
>                 Key: PHOENIX-4189
>                 URL:
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.12.0
>         Attachments: PHOENIX-4189.001.patch
> Another security scan ding, but not a very big concern.
> We use ObjectInputStream to serialize/deserialize a Map which contains the columns+values
of the primary key constraint. The problem with ObjectInputStream is that it doesn't care
what Class it deserializes. If a malicious user can someone coerce some unknowing user to
use an InputSplit that has this specially crafted class, we can get into an arbitrary code
> outlines a way to work around
this issue in code, but it leaves a bit to be desired. The ObjectInputStream recursively calls
itself as it deserializes the fields in the Object. By trusting some classes from the packages
java.lang, java.util, and java.sql, I believe we can remove this minor concern.

This message was sent by Atlassian JIRA

View raw message