[SPARK-10857] SQL injection bug in JdbcDialect.getTableExistsQuery() - ASF Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Incomplete
Affects Version/s: 1.5.0
Fix Version/s: None
Component/s: SQL
Labels:
- bulk-closed

Description

All of the implementations of this method involve constructing a query by concatenating boilerplate text with a user-supplied name. This looks like a SQL injection bug to me.

A better solution would be to call java.sql.DatabaseMetaData.getTables() to implement this method, using the catalog and schema which are available from Connection.getCatalog() and Connection.getSchema(). This would not work on Java 6 because Connection.getSchema() was introduced in Java 7. However, the solution would work for more modern JVMs. Limiting the vulnerability to obsolete JVMs would at least be an improvement over the current situation. Java 6 has been end-of-lifed and is not an appropriate platform for users who are concerned about security.

Attachments

Issue Links

is related to

SPARK-10977 SQL injection bugs in JdbcUtils and DataFrameWriter

Resolved

SPARK-11426 JDBCRDD should use JdbcDialect to probe for the existence of a table

Closed

links to

[Github] Pull Request #9202 (rick-ibm)

Activity

People

Assignee:: Unassigned

Reporter:: Richard N. Hillegas

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 28/Sep/15 17:52

Updated:: 21/May/19 04:33

Resolved:: 21/May/19 04:33