YARN-7758. Add an additional check to the validity of container and application ids passed to container-executor. Contributed by Yufei Gu.

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c

@@ -1068,7 +1068,8 @@ int create_log_dirs(const char *app_id, char * const * log_dirs) {
   for(log_root=log_dirs; *log_root != NULL; ++log_root) {
     char *app_log_dir = get_app_log_directory(*log_root, app_id);
     int result = check_nm_local_dir(nm_uid, *log_root);
-    if (result != 0) {
+    if (result != 0 && app_log_dir != NULL) {
+      free(app_log_dir);
       app_log_dir = NULL;
     }
     if (app_log_dir == NULL) {

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/main.c

@@ -21,6 +21,7 @@
 #include "container-executor.h"
 #include "util.h"
 #include "get_executable.h"
+#include "utils/string-utils.h"
 
 #include <errno.h>
 #include <grp.h>
@@ -351,6 +352,10 @@ static int validate_run_as_user_commands(int argc, char **argv, int *operation)
     }
     cmd_input.app_id = argv[optind++];
     cmd_input.container_id = argv[optind++];
+    if (!validate_container_id(cmd_input.container_id)) {
+      fprintf(ERRORFILE, "Invalid container id %s\n", cmd_input.container_id);
+      return INVALID_CONTAINER_ID;
+    }
     cmd_input.cred_file = argv[optind++];
     cmd_input.local_dirs = argv[optind++];// good local dirs as a comma separated list
     cmd_input.log_dirs = argv[optind++];// good log dirs as a comma separated list

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/util.h

@@ -67,7 +67,8 @@ enum errorcodes {
   ERROR_SANITIZING_DOCKER_COMMAND = 39,
   DOCKER_IMAGE_INVALID = 40,
   // DOCKER_CONTAINER_NAME_INVALID = 41, (NOT USED)
-  ERROR_COMPILING_REGEX = 42
+  ERROR_COMPILING_REGEX = 42,
+  INVALID_CONTAINER_ID = 43
 };