From c83618e4e5fc092829a1f2a726f12fb832e802cc Mon Sep 17 00:00:00 2001 From: Hyukjin Kwon Date: Fri, 22 Apr 2022 19:01:05 +0900 Subject: [PATCH] [SPARK-38992][CORE] Avoid using bash -c in ShellBasedGroupsMappingProvider ### What changes were proposed in this pull request? This PR proposes to avoid using `bash -c` in `ShellBasedGroupsMappingProvider`. This could allow users a command injection. ### Why are the changes needed? For a security purpose. ### Does this PR introduce _any_ user-facing change? Virtually no. ### How was this patch tested? Manually tested. Closes #36315 from HyukjinKwon/SPARK-38992. Authored-by: Hyukjin Kwon Signed-off-by: Hyukjin Kwon --- .../spark/security/ShellBasedGroupsMappingProvider.scala | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala b/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala index f71dd08246b2f..7ef8ef165e3a2 100644 --- a/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala +++ b/core/src/main/scala/org/apache/spark/security/ShellBasedGroupsMappingProvider.scala @@ -30,6 +30,8 @@ import org.apache.spark.util.Utils private[spark] class ShellBasedGroupsMappingProvider extends GroupMappingServiceProvider with Logging { + private lazy val idPath = Utils.executeAndGetOutput("which" :: "id" :: Nil).stripLineEnd + override def getGroups(username: String): Set[String] = { val userGroups = getUnixGroups(username) logDebug("User: " + username + " Groups: " + userGroups.mkString(",")) @@ -38,8 +40,7 @@ private[spark] class ShellBasedGroupsMappingProvider extends GroupMappingService // shells out a "bash -c id -Gn username" to get user groups private def getUnixGroups(username: String): Set[String] = { - val cmdSeq = Seq("bash", "-c", "id -Gn " + username) // we need to get rid of the trailing "\n" from the result of command execution - Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet + Utils.executeAndGetOutput(idPath :: "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet } }