Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache Spark: In SparkSql, are sql's vulnerable to Sql Injection [duplicate]

Scenario:

Say there is a table in Hive, and it is queried using the below SparkSql in Apache Spark, where table name is passed as an argument and concatenated to the query.

In case of non-distributed system, I have basic understanding of SQL-Injection vulnerability and in the context of JDBC understand the usage of createStatement/preparedStatement in the those kind of scenario.

But what about this scenario in the case of sparksql, is this code vulnerable? Any insights ?

def main(args: Array[String]) {

    val sconf = new SparkConf().setAppName("TestApp")
    val sparkContext = new SparkContext(sconf)
    val hiveSqlContext = new org.apache.spark.sql.hive.HiveContext(sparkContext)

    val tableName = args(0)    // passed as an argument

    val tableData  =  hiveSqlContext.sql("select IdNUm, Name from hiveSchemaName." + tableName + " where IdNum <> '' ")
                                        .map( x => (x.getString(0), x.getString(1)) ).collectAsMap()


    ................
    ...............

}
like image 574
jdprasad Avatar asked Jan 30 '17 17:01

jdprasad


2 Answers

You can try the following in Spark 2.0:

def main(args: Array[String]) {
val conf = new SparkConf()

val sparkSession = SparkSession
  .builder()
  .appName("TestApp")
  .config(conf)
  .enableHiveSupport()
  .getOrCreate()

val tableName = args(0)    // passed as an argument

val tableData  =  sparkSession
.table(tableName)
.select($"IdNum", $"Name")
.filter($"IdNum" =!= "")
.map( x => (x.getString(0), x.getString(1)) ).collectAsMap()


................
...............

}`

like image 190
Gsquare Avatar answered Oct 15 '22 03:10

Gsquare


In Java usually the most common way to handle sql injection threats is to use prepared statements.

you can use the Java libraries or google prepared statements in Scala to look for Scala libraries for that. Since Scala is used also in web applications I'm sure such libraries exists..

like image 42
Tal Joffe Avatar answered Oct 15 '22 04:10

Tal Joffe