alibabacloud-dataworks-datastudio-develop
Audited by Socket on Jun 18, 2026
2 alerts found:
Anomalyx2This fragment configures long-lived, scheduled execution of a shell-based node where the actual executed command and script behavior are not present in the snippet (script.content empty; runtime.command is a placeholder-like value likely resolved externally). While there are no explicit indicators of credential theft, network exfiltration, or destructive actions within this configuration alone, the combination of automated shell execution, external command resolution, wide scheduling window, and output propagation represents a moderate supply-chain security risk. Review and verify the resolved value behind “CONTROLLER_ASSIGNMENT”, the contents of the “assignment_shell” script, and how ODPS data and outputs are handled to rule out command injection, persistence, or data leakage.
No explicit malware is present in the shell orchestration itself, but the script functions as a high-impact execution vehicle: it uploads and immediately runs an online DataWorks workflow whose behavior is fully determined by unvalidated JSON files read from mutable /tmp. If those JSON artifacts are tampered with, the resulting pipeline could perform unauthorized or malicious actions in the target DataWorks environment. This should be treated as a deployment integrity/supply-chain trust issue requiring strong input integrity controls (e.g., immutable artifact storage, signatures/checksums, strict permissions, and validation) before running Online.