From a1cdd916bf17027468761f886500c6a6dfa15616 Mon Sep 17 00:00:00 2001 From: Sayari Mukherjee Date: Wed, 26 Nov 2025 08:18:39 +0530 Subject: [PATCH 1/2] fix(security): Upgrade pinot to version 1.40 to address CVE-2025-12383(GHSA-7p63-w6x9-6gr7) fix(tests): Update metadata count assertions in PinotSegmentPageSource tests test --- pom.xml | 2 +- .../presto/pinot/PinotStreamingQueryClient.java | 14 +++++++------- .../pinot/query/PinotProxyGrpcRequestBuilder.java | 4 ++-- .../presto/pinot/TestPinotSegmentPageSource.java | 15 +++++++-------- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/pom.xml b/pom.xml index 0fa3e1eeffbea..bcfc5d3aea7ca 100644 --- a/pom.xml +++ b/pom.xml @@ -66,7 +66,7 @@ 313 2.0.16 3.9.1 - 1.3.0 + 1.4.0 35.0.1 2.3.1 4.0.6 diff --git a/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/PinotStreamingQueryClient.java b/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/PinotStreamingQueryClient.java index d74eb888b5f69..89db03d745770 100644 --- a/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/PinotStreamingQueryClient.java +++ b/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/PinotStreamingQueryClient.java @@ -15,8 +15,8 @@ import org.apache.pinot.common.config.GrpcConfig; import org.apache.pinot.common.proto.Server; -import org.apache.pinot.common.utils.grpc.GrpcQueryClient; -import org.apache.pinot.common.utils.grpc.GrpcRequestBuilder; +import org.apache.pinot.common.utils.grpc.ServerGrpcQueryClient; +import org.apache.pinot.common.utils.grpc.ServerGrpcRequestBuilder; import java.util.HashMap; import java.util.Iterator; @@ -30,7 +30,7 @@ */ public class PinotStreamingQueryClient { - private final Map grpcQueryClientMap = new HashMap<>(); + private final Map grpcQueryClientMap = new HashMap<>(); private final GrpcConfig config; public PinotStreamingQueryClient(GrpcConfig config) @@ -38,17 +38,17 @@ public PinotStreamingQueryClient(GrpcConfig config) this.config = config; } - public Iterator submit(String host, int port, GrpcRequestBuilder requestBuilder) + public Iterator submit(String host, int port, ServerGrpcRequestBuilder requestBuilder) { - GrpcQueryClient client = getOrCreateGrpcQueryClient(host, port); + ServerGrpcQueryClient client = getOrCreateGrpcQueryClient(host, port); return client.submit(requestBuilder.build()); } - private GrpcQueryClient getOrCreateGrpcQueryClient(String host, int port) + private ServerGrpcQueryClient getOrCreateGrpcQueryClient(String host, int port) { String key = String.format("%s_%d", host, port); if (!grpcQueryClientMap.containsKey(key)) { - grpcQueryClientMap.put(key, new GrpcQueryClient(host, port, config)); + grpcQueryClientMap.put(key, new ServerGrpcQueryClient(host, port, config)); } return grpcQueryClientMap.get(key); } diff --git a/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/query/PinotProxyGrpcRequestBuilder.java b/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/query/PinotProxyGrpcRequestBuilder.java index e68dfd0170358..88afea80be2d7 100644 --- a/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/query/PinotProxyGrpcRequestBuilder.java +++ b/presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/query/PinotProxyGrpcRequestBuilder.java @@ -16,7 +16,7 @@ import com.facebook.presto.pinot.PinotErrorCode; import com.facebook.presto.pinot.PinotException; import org.apache.pinot.common.proto.Server; -import org.apache.pinot.common.utils.grpc.GrpcRequestBuilder; +import org.apache.pinot.common.utils.grpc.ServerGrpcRequestBuilder; import org.apache.pinot.spi.utils.CommonConstants; import java.util.HashMap; @@ -25,7 +25,7 @@ import java.util.Optional; public class PinotProxyGrpcRequestBuilder - extends GrpcRequestBuilder + extends ServerGrpcRequestBuilder { private static final String KEY_OF_PROXY_GRPC_FORWARD_HOST = "FORWARD_HOST"; private static final String KEY_OF_PROXY_GRPC_FORWARD_PORT = "FORWARD_PORT"; diff --git a/presto-pinot-toolkit/src/test/java/com/facebook/presto/pinot/TestPinotSegmentPageSource.java b/presto-pinot-toolkit/src/test/java/com/facebook/presto/pinot/TestPinotSegmentPageSource.java index a6b98514a191d..56a9676d7e655 100644 --- a/presto-pinot-toolkit/src/test/java/com/facebook/presto/pinot/TestPinotSegmentPageSource.java +++ b/presto-pinot-toolkit/src/test/java/com/facebook/presto/pinot/TestPinotSegmentPageSource.java @@ -34,11 +34,12 @@ import org.apache.pinot.common.datatable.DataTable; import org.apache.pinot.common.proto.Server; import org.apache.pinot.common.utils.DataSchema; -import org.apache.pinot.common.utils.grpc.GrpcRequestBuilder; +import org.apache.pinot.common.utils.grpc.ServerGrpcRequestBuilder; import org.apache.pinot.core.common.datatable.DataTableBuilder; import org.apache.pinot.core.common.datatable.DataTableBuilderV4; import org.apache.pinot.spi.data.DimensionFieldSpec; import org.apache.pinot.spi.data.FieldSpec; +import org.apache.pinot.spi.utils.ByteArray; import org.apache.pinot.spi.utils.CommonConstants; import org.testng.annotations.Test; @@ -172,9 +173,6 @@ protected static DataTable createDataTableWithAllTypes() case STRING: dataTableBuilder.setColumn(colId, generateRandomStringWithLength(RANDOM.nextInt(20))); break; - case OBJECT: - dataTableBuilder.setColumn(colId, (Object) RANDOM.nextDouble()); - break; case BOOLEAN_ARRAY: int length = RANDOM.nextInt(20); int[] booleanArray = new int[length]; @@ -233,7 +231,7 @@ protected static DataTable createDataTableWithAllTypes() case BYTES: try { dataTableBuilder.setColumn(colId, - Hex.decodeHex("0DE0B6B3A7640000".toCharArray())); // Hex of BigDecimal.ONE + new ByteArray(Hex.decodeHex("0DE0B6B3A7640000".toCharArray()))); // Hex of BigDecimal.ONE } catch (DecoderException e) { throw new RuntimeException(e); @@ -425,7 +423,7 @@ public void testPinotProxyGrpcRequest() @Test public void testPinotGrpcRequest() { - final Server.ServerRequest grpcRequest = new GrpcRequestBuilder() + final Server.ServerRequest grpcRequest = new ServerGrpcRequestBuilder() .setSegments(ImmutableList.of("segment1")) .setEnableStreaming(true) .setRequestId(121) @@ -435,12 +433,13 @@ public void testPinotGrpcRequest() Assert.assertEquals(grpcRequest.getSql(), "SELECT * FROM myTable"); Assert.assertEquals(grpcRequest.getSegmentsCount(), 1); Assert.assertEquals(grpcRequest.getSegments(0), "segment1"); - Assert.assertEquals(grpcRequest.getMetadataCount(), 5); + Assert.assertEquals(grpcRequest.getMetadataCount(), 6); Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.REQUEST_ID), "121"); Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.BROKER_ID), "presto-coordinator-grpc"); Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.ENABLE_TRACE), "false"); Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.ENABLE_STREAMING), "true"); Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.PAYLOAD_TYPE), "sql"); + Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.CORRELATION_ID), "121"); } private static final class TestingPinotStreamingQueryClient @@ -455,7 +454,7 @@ private static final class TestingPinotStreamingQueryClient } @Override - public Iterator submit(String host, int port, GrpcRequestBuilder requestBuilder) + public Iterator submit(String host, int port, ServerGrpcRequestBuilder requestBuilder) { return new Iterator() { From a890c6952b1f0116e929aedb303bd760ed2cffde Mon Sep 17 00:00:00 2001 From: Sayari Mukherjee Date: Mon, 29 Dec 2025 12:36:53 +0530 Subject: [PATCH 2/2] fix(security): Override vulnerable lz4-java dependency to address CVE-2025-66566 --- presto-pinot-toolkit/pom.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/presto-pinot-toolkit/pom.xml b/presto-pinot-toolkit/pom.xml index 2168852e9f82b..507085270ab01 100644 --- a/presto-pinot-toolkit/pom.xml +++ b/presto-pinot-toolkit/pom.xml @@ -108,9 +108,21 @@ org.glassfish.hk2.external aopalliance-repackaged + + org.lz4 + lz4-java + + + + at.yawk.lz4 + lz4-java + 1.10.2 + runtime + + org.apache.pinot pinot-core