Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing class objects comparison using getName(),getSimpleName() #24000

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Removing class objects comparison using getName(),getSimpleName() #24000

wants to merge 1 commit into from
+15 −8

Conversation

bibith4
Copy link
Contributor

@bibith4 bibith4 commented Nov 11, 2024
edited
Loading

Description

Changes to remove class objects comparison using the methods getName(),getSimpleName() to improve security.
Made changes in
presto-hive/src/main/java/com/facebook/presto/hive/HiveUtil.java
presto-main/src/main/java/com/facebook/presto/execution/QueryStats.java
presto-main/src/main/java/com/facebook/presto/execution/executor/TaskExecutor.java
presto-main/src/main/java/com/facebook/presto/operator/AggregationOperator.java
presto-main/src/main/java/com/facebook/presto/operator/HashAggregationOperator.java
presto-main/src/main/java/com/facebook/presto/operator/HashBuilderOperator.java
presto-main/src/main/java/com/facebook/presto/operator/TableWriterOperator.java
presto-main/src/main/java/com/facebook/presto/operator/TaskContext.java
presto-main/src/main/java/com/facebook/presto/operator/scalar/JoniRegexpFunctions.java

Motivation and Context

Do not compare class objects using the getName() or getSimpleName() method which may causes multiple security vulnerabilities includes String manipulations,class spoofing and namespace collisions

Impact

No impact

Test Plan

Verified existing Unit test case for above fix
presto-hive/src/test/java/com/facebook/presto/hive/TestHiveUtil.java
presto-main/src/test/java/com/facebook/presto/execution/TestQueryStats.java
presto-main/src/test/java/com/facebook/presto/execution/executor/TestTaskExecutor.java
presto-main/src/main/java/com/facebook/presto/testing/TestingTaskContext.java

Release Notes

== NO RELEASE NOTE ==

@bibith4 bibith4 marked this pull request as ready for review November 12, 2024 05:40
@bibith4 bibith4 requested a review from a team as a code owner November 12, 2024 05:40
yingsu00
yingsu00 reviewed Nov 13, 2024
View reviewed changes
presto-main/src/main/java/com/facebook/presto/operator/TableWriterOperator.java Outdated
@@ -78,6 +78,7 @@
public class TableWriterOperator
implements Operator
{
public static final String OPERATOR_TYPE_NAME = "TableWriterOperator";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this one is OPERATOR_TYPE_NAME and other operators are OPERATOR_TYPE? Please unify the names.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yingsu00 made the required changes. Can you please verify

@bibith4 bibith4 force-pushed the static_cve_fix_class_obj_compare_removal branch from 8a80c77 to 6741f55 Compare November 13, 2024 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yingsu00 yingsu00 yingsu00 left review comments

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bibith4 @yingsu00