[GitHub] [pinot] Jackie-Jiang commented on a change in pull request #8159: Adding broker level config for disabling Pinot queries with Groovy

Mon, 07 Feb 2022 20:38:10 -0800 


Jackie-Jiang commented on a change in pull request #8159:
URL: https://github.com/apache/pinot/pull/8159#discussion_r801260501



##########
File path: 
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/BaseBrokerRequestHandler.java
##########
@@ -1168,6 +1173,56 @@ private static void handleHLLLog2mOverride(PinotQuery 
pinotQuery, int hllLog2mOv
     }
   }
 
+  /**
+   * Verifies that no groovy is present in the PinotQuery when disabled.
+   */
+  @VisibleForTesting
+  static void handleDisableGroovyOverride(PinotQuery pinotQuery) {
+    List<Expression> selectList = pinotQuery.getSelectList();
+    for (Expression expression : selectList) {
+      handleDisableGroovyOverride(expression);
+    }
+    List<Expression> orderByList = pinotQuery.getOrderByList();
+    if (orderByList != null) {
+      for (Expression expression : orderByList) {
+        // NOTE: Order-by is always a Function with the ordering of the 
Expression
+        
handleDisableGroovyOverride(expression.getFunctionCall().getOperands().get(0));
+      }
+    }
+    Expression havingExpression = pinotQuery.getHavingExpression();
+    if (havingExpression != null) {
+      handleDisableGroovyOverride(havingExpression);
+    }
+    Expression filterExpression = pinotQuery.getFilterExpression();
+    if (filterExpression != null) {
+      handleDisableGroovyOverride(filterExpression);
+    }
+    List<Expression> groupByList = pinotQuery.getGroupByList();
+    if (groupByList != null) {
+      for (Expression expression : groupByList) {
+        handleDisableGroovyOverride(expression);
+      }
+    }
+  }
+
+  private static void handleDisableGroovyOverride(Expression expression) {
+    Function functionCall = expression.getFunctionCall();
+    if (functionCall == null) {
+      return;
+    }
+
+    if (functionCall.getOperator().toUpperCase().contains("GROOVY")) {

Review comment:
       The problem is that attacker can by-pass this check if they use 
`gro_ovy`, which needs to be avoided




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to