YARN-7758. Add an additional check to the validity of container and application ids passed to container-executor. Contributed by Yufei Gu.

(cherry picked from commit 41049ba5d1)
This commit is contained in:
Miklos Szegedi 2018-01-16 15:40:43 -08:00
parent 2443692434
commit 7629353153
3 changed files with 9 additions and 2 deletions

View File

@ -1068,7 +1068,8 @@ int create_log_dirs(const char *app_id, char * const * log_dirs) {
for(log_root=log_dirs; *log_root != NULL; ++log_root) { for(log_root=log_dirs; *log_root != NULL; ++log_root) {
char *app_log_dir = get_app_log_directory(*log_root, app_id); char *app_log_dir = get_app_log_directory(*log_root, app_id);
int result = check_nm_local_dir(nm_uid, *log_root); int result = check_nm_local_dir(nm_uid, *log_root);
if (result != 0) { if (result != 0 && app_log_dir != NULL) {
free(app_log_dir);
app_log_dir = NULL; app_log_dir = NULL;
} }
if (app_log_dir == NULL) { if (app_log_dir == NULL) {

View File

@ -23,6 +23,7 @@
#include "get_executable.h" #include "get_executable.h"
#include "modules/gpu/gpu-module.h" #include "modules/gpu/gpu-module.h"
#include "modules/cgroups/cgroups-operations.h" #include "modules/cgroups/cgroups-operations.h"
#include "utils/string-utils.h"
#include <errno.h> #include <errno.h>
#include <grp.h> #include <grp.h>
@ -362,6 +363,10 @@ static int validate_run_as_user_commands(int argc, char **argv, int *operation)
} }
cmd_input.app_id = argv[optind++]; cmd_input.app_id = argv[optind++];
cmd_input.container_id = argv[optind++]; cmd_input.container_id = argv[optind++];
if (!validate_container_id(cmd_input.container_id)) {
fprintf(ERRORFILE, "Invalid container id %s\n", cmd_input.container_id);
return INVALID_CONTAINER_ID;
}
cmd_input.cred_file = argv[optind++]; cmd_input.cred_file = argv[optind++];
cmd_input.local_dirs = argv[optind++];// good local dirs as a comma separated list cmd_input.local_dirs = argv[optind++];// good local dirs as a comma separated list
cmd_input.log_dirs = argv[optind++];// good log dirs as a comma separated list cmd_input.log_dirs = argv[optind++];// good log dirs as a comma separated list

View File

@ -67,7 +67,8 @@ enum errorcodes {
ERROR_SANITIZING_DOCKER_COMMAND = 39, ERROR_SANITIZING_DOCKER_COMMAND = 39,
DOCKER_IMAGE_INVALID = 40, DOCKER_IMAGE_INVALID = 40,
// DOCKER_CONTAINER_NAME_INVALID = 41, (NOT USED) // DOCKER_CONTAINER_NAME_INVALID = 41, (NOT USED)
ERROR_COMPILING_REGEX = 42 ERROR_COMPILING_REGEX = 42,
INVALID_CONTAINER_ID = 43
}; };
/* Macros for min/max. */ /* Macros for min/max. */