diff --git a/sql/catalyst/src/main/scala/org/apache/spark/sql/catalyst/util/package.scala b/sql/catalyst/src/main/scala/org/apache/spark/sql/catalyst/util/package.scala
index 3d2a624ba3b308407177e183c072f3dcac6a2ccf..f1d6cab9a5a1cff906d2321f06f79f40a94e7a9d 100644
--- a/sql/catalyst/src/main/scala/org/apache/spark/sql/catalyst/util/package.scala
+++ b/sql/catalyst/src/main/scala/org/apache/spark/sql/catalyst/util/package.scala
@@ -162,7 +162,18 @@ package object util {
def toCommentSafeString(str: String): String = {
val len = math.min(str.length, 128)
val suffix = if (str.length > len) "..." else ""
- str.substring(0, len).replace("*/", "\\*\\/").replace("\\u", "\\\\u") + suffix
+
+ // Unicode literals, like \u0022, should be escaped before
+ // they are put in code comment to avoid codegen breaking.
+ // To escape them, single "\" should be prepended to a series of "\" just before "u"
+ // only when the number of "\" is odd.
+ // For example, \u0022 should become to \\u0022
+ // but \\u0022 should not become to \\\u0022 because the first backslash escapes the second one,
+ // and \u0022 will remain, means not escaped.
+ // Otherwise, the runtime Java compiler will fail to compile or code injection can be allowed.
+ // For details, see SPARK-15165.
+ str.substring(0, len).replace("*/", "*\\/")
+ .replaceAll("(^|[^\\\\])(\\\\(\\\\\\\\)*u)", "$1\\\\$2") + suffix
}
/* FIX ME
diff --git a/sql/catalyst/src/test/scala/org/apache/spark/sql/catalyst/expressions/CodeGenerationSuite.scala b/sql/catalyst/src/test/scala/org/apache/spark/sql/catalyst/expressions/CodeGenerationSuite.scala
index 2082cea0f60f787a1c221ee75213e76d2a708250..db34d12e286fa7004648cf1b3cc06eaf9137c7ab 100644
--- a/sql/catalyst/src/test/scala/org/apache/spark/sql/catalyst/expressions/CodeGenerationSuite.scala
+++ b/sql/catalyst/src/test/scala/org/apache/spark/sql/catalyst/expressions/CodeGenerationSuite.scala
@@ -194,4 +194,48 @@ class CodeGenerationSuite extends SparkFunSuite with ExpressionEvalHelper {
true,
InternalRow(UTF8String.fromString("\\u")))
}
+
+ test("check compilation error doesn't occur caused by specific literal") {
+ // The end of comment (*/) should be escaped.
+ GenerateUnsafeProjection.generate(
+ Literal.create("*/Compilation error occurs/*", StringType) :: Nil)
+
+ // `\u002A` is `*` and `\u002F` is `/`
+ // so if the end of comment consists of those characters in queries, we need to escape them.
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\u002A/Compilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\\\u002A/Compilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\u002a/Compilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\\\u002a/Compilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("*\\u002FCompilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("*\\\\u002FCompilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("*\\002fCompilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("*\\\\002fCompilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\002A\\002FCompilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\\\002A\\002FCompilation error occurs/*", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\002A\\\\002FCompilation error occurs/*", StringType) :: Nil)
+
+ // \ u002X is an invalid unicode literal so it should be escaped.
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\u002X/Compilation error occurs", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\\\u002X/Compilation error occurs", StringType) :: Nil)
+
+ // \ u001 is an invalid unicode literal so it should be escaped.
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\u001/Compilation error occurs", StringType) :: Nil)
+ GenerateUnsafeProjection.generate(
+ Literal.create("\\\\u001/Compilation error occurs", StringType) :: Nil)
+
+ }
}
diff --git a/sql/core/src/test/scala/org/apache/spark/sql/SQLQuerySuite.scala b/sql/core/src/test/scala/org/apache/spark/sql/SQLQuerySuite.scala
index 7020841d3171765c27888d7912698c2659b72df1..b67e2bdeb3663300acb9c665d090c53592f46ac9 100644
--- a/sql/core/src/test/scala/org/apache/spark/sql/SQLQuerySuite.scala
+++ b/sql/core/src/test/scala/org/apache/spark/sql/SQLQuerySuite.scala
@@ -2496,4 +2496,268 @@ class SQLQuerySuite extends QueryTest with SharedSQLContext {
}
}
+ test("check code injection is prevented") {
+ // The end of comment (*/) should be escaped.
+ var literal =
+ """|*/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ var expected =
+ """|*/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ // `\u002A` is `*` and `\u002F` is `/`
+ // so if the end of comment consists of those characters in queries, we need to escape them.
+ literal =
+ """|\\u002A/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"\\u002A/"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\\\u002A/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ """|\\u002A/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\u002a/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"\\u002a/"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\\\u002a/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ """|\\u002a/
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|*\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"*\\u002F"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|*\\\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ """|*\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|*\\u002f
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"*\\u002f"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|*\\\\u002f
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ """|*\\u002f
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\u002A\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"\\u002A\\u002F"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\\\u002A\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"\\\\u002A\\u002F"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\u002A\\\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ s"""|${"\\u002A\\\\u002F"}
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+
+ literal =
+ """|\\\\u002A\\\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ expected =
+ """|\\u002A\\u002F
+ |{
+ | new Object() {
+ | void f() { throw new RuntimeException("This exception is injected."); }
+ | }.f();
+ |}
+ |/*""".stripMargin
+ checkAnswer(
+ sql(s"SELECT '$literal' AS DUMMY"),
+ Row(s"$expected") :: Nil)
+ }
}