Skip to content

Add validation that checks next URI host and port does not change during query execution#21101

Merged
tdcmeehan merged 1 commit intoprestodb:masterfrom
dianatatar:nextURI
Dec 23, 2023
Merged

Add validation that checks next URI host and port does not change during query execution#21101
tdcmeehan merged 1 commit intoprestodb:masterfrom
dianatatar:nextURI

Conversation

@dianatatar
Copy link
Contributor

@dianatatar dianatatar commented Oct 11, 2023

Description

Presto client can attempt to follow a next URI from an untrusted source, adding option to validate that next URI host and port does not change during query execution.

Motivation and Context

Presto clients can attempt to follow a next URI from an untrusted source, adding option to validate that the host and port are consistent during query execution as a security improvement.
Fixes advisory GHSA-86q5-qcjc-7pv4

Impact

Adding option to Presto Client to validate next URI during query execution. This is an opt in, by default the current client behavior does not change

Test Plan

Tested locally with CLI and Presto Jdbc client by sending an invalid next URI host & port during a query execution, confirmed clients will not follow the invalid next URI if option to perform this validation is turned on.

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Add validation to check that next URI host and port does not change during query execution

@dianatatar dianatatar requested a review from a team as a code owner October 11, 2023 02:31
@dianatatar dianatatar requested a review from presto-oss October 11, 2023 02:31
@github-actions
Copy link

github-actions bot commented Oct 11, 2023

Codenotify: Notifying subscribers in CODENOTIFY files for diff 01c962e...95bf5b0.

Notify File(s)
@steveburnett presto-docs/src/main/sphinx/installation/jdbc.rst

steveburnett
steveburnett approved these changes Oct 11, 2023
View reviewed changes
Copy link
Contributor

@steveburnett steveburnett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! (docs)

@tdcmeehan tdcmeehan requested a review from skairali October 17, 2023 14:49
@tcherel
Copy link

tcherel commented Nov 21, 2023

Hi.
Any ideas if and when (rough idea) this might be delivered and available in a new presto JDBC GA driver?
Thanks.

@tdcmeehan
Copy link
Contributor

tdcmeehan commented Nov 21, 2023

@skairali any further comments?

@tcherel
Copy link

tcherel commented Dec 4, 2023

@tdcmeehan @skairali any updates or some sort of rough ETA?
Thanks.

@tdcmeehan tdcmeehan merged commit 0f89633 into prestodb:master Dec 23, 2023
@tcherel
Copy link

tcherel commented Jan 8, 2024

@tdcmeehan can you confirm in which presto-jdbc GA version this fix is available?
If not yet in a GA version, any ETAs as when it will be available?
Thanks.

@tdcmeehan
Copy link
Contributor

tdcmeehan commented Jan 8, 2024

This will go out in 0.286 (February/March timeframe)

@wanglinsong wanglinsong mentioned this pull request Feb 12, 2024
Merged
64 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steveburnett steveburnett steveburnett approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@skairali skairali Awaiting requested review from skairali

Assignees

@skairali skairali

Labels

Security

Projects

Security
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dianatatar @tcherel @tdcmeehan @steveburnett @skairali