All geek questions in one place

Apache Spark: in SparkSql, sql is vulnerable to Sql Injection

Scenario:

Let's say that there is a table in Hive , and it is requested using SparkSql in Apache Spark , where the table name is passed as an argument and combined with the request.

In the case of an unallocated system, I have a basic understanding of the SQL-Injection vulnerability, and in the JDBC context they understand the use of createStatement / preparedStatement in such a scenario.

But what about this scenario in case of sparksql, is this code vulnerable? Any ideas?

def main(args: Array[String]) { val sconf = new SparkConf().setAppName("TestApp") val sparkContext = new SparkContext(sconf) val hiveSqlContext = new org.apache.spark.sql.hive.HiveContext(sparkContext) val tableName = args(0) // passed as an argument val tableData = hiveSqlContext.sql("select IdNUm, Name from hiveSchemaName." + tableName + " where IdNum <> '' ") .map( x => (x.getString(0), x.getString(1)) ).collectAsMap() ................ ............... }
+6
source share
2 answers

You can try the following in Spark 2.0:

 def main(args: Array[String]) { val conf = new SparkConf() val sparkSession = SparkSession .builder() .appName("TestApp") .config(conf) .enableHiveSupport() .getOrCreate() val tableName = args(0) // passed as an argument val tableData = sparkSession .table(tableName) .select($"IdNum", $"Name") .filter($"IdNum" =!= "") .map( x => (x.getString(0), x.getString(1)) ).collectAsMap() ................ ...............

} `

+2
source

In Java, usually the most common way to handle SQL injection is to use prepared statements.

you can use java libraries or google's google instructions in Scala to search for Scala libraries for this. Since Scala is also used in web applications, I am sure that such libraries exist.

0
source

Source: https://habr.com/ru/post/1014563/

More articles:


All Articles