git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[jira] [Created] (HIVE-20055) SQL injection via metastore ACID APIs (and maybe queries, although that's unlikely)


Sergey Shelukhin created HIVE-20055:
---------------------------------------

             Summary: SQL injection via metastore ACID APIs (and maybe queries, although that's unlikely)
                 Key: HIVE-20055
                 URL: https://issues.apache.org/jira/browse/HIVE-20055
             Project: Hive
          Issue Type: Bug
            Reporter: Sergey Shelukhin
            Assignee: Thejas M Nair


[~thejas] asked me to create this JIRA based on my earlier email :)

{noformat}
This might be doable with a specially crafted query, I’m not sure what APIs calls have what checks (e.g. via Hive parser) that would prevent the below.
However, for remote metastore (default on many clusters currently, afaik it’s the default for ACID) we expose thrift API that accepts strings e.g. get_valid_write_ids.
That passes the string table names to TxnHandler::getValidWriteIdsForTable, that inserts them into the query string w/quoteString call; quoteString doesn’t do any validation.

Some ready made delete statements also exist e.g.  "delete from REPL_TXN_MAP where RTM_SRC_TXN_ID = " + sourceTxnId + " and RTM_REPL_POLICY = " + quoteString(rqst.getReplPolicy());
I think my replication policy might be {' OR '1' = '1} ;)

So, SQL injection might be possible thru these APIs.
I wonder if this class should be switched to parameter based execution? DirectSQL could be used as an example, although that uses DataNucleus direct sql feature… at least we need some checks on these.
{noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)