Apache Spark:在SparkSql中,SQL容易受到Sql Injection的攻击 [英] Apache Spark: In SparkSql, are sql's vulnerable to Sql Injection
问题描述
场景:
假设 Hive 中有一个表,并使用下面的 Apache Spark中的SparkSql 查询该表,其中表名作为参数传递并连接到查询
Say there is a table in Hive, and it is queried using the below SparkSql in Apache Spark, where table name is passed as an argument and concatenated to the query.
在非分布式系统的情况下,我对SQL-Injection漏洞有基本的了解,并且在JDBC的背景下,了解在这种情况下createStatement/preparedStatement的用法.
In case of non-distributed system, I have basic understanding of SQL-Injection vulnerability and in the context of JDBC understand the usage of createStatement/preparedStatement in the those kind of scenario.
但是在使用Sparksql的情况下,该代码容易受到攻击吗?有任何见解吗?
But what about this scenario in the case of sparksql, is this code vulnerable? Any insights ?
def main(args: Array[String]) {
val sconf = new SparkConf().setAppName("TestApp")
val sparkContext = new SparkContext(sconf)
val hiveSqlContext = new org.apache.spark.sql.hive.HiveContext(sparkContext)
val tableName = args(0) // passed as an argument
val tableData = hiveSqlContext.sql("select IdNUm, Name from hiveSchemaName." + tableName + " where IdNum <> '' ")
.map( x => (x.getString(0), x.getString(1)) ).collectAsMap()
................
...............
}
推荐答案
您可以在Spark 2.0中尝试以下操作:
You can try the following in Spark 2.0:
def main(args: Array[String]) {
val conf = new SparkConf()
val sparkSession = SparkSession
.builder()
.appName("TestApp")
.config(conf)
.enableHiveSupport()
.getOrCreate()
val tableName = args(0) // passed as an argument
val tableData = sparkSession
.table(tableName)
.select($"IdNum", $"Name")
.filter($"IdNum" =!= "")
.map( x => (x.getString(0), x.getString(1)) ).collectAsMap()
................
...............
}`
这篇关于Apache Spark:在SparkSql中,SQL容易受到Sql Injection的攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!