code injection vulnerability of alluxio.util.ShellUtils.isAlluxioRunning

[ACE-777]

Alluxio Version:
Version from 2.3.0 until the latest(2.9.3).

Describe the bug
Passing className with pipe and other command after className of unix shell as parameter of alluxio.util.ShellUtils.isAlluxioRunning(java.lang.String) can inject malicious commands.
For example, the following code ShellUtils.isAlluxioRunning("qwert | /usr/bin/gnome-calculator")
would finally execute bash -c ps -Aww -o command | grep -i \"[j]ava\" | grep qwert | /usr/bin/gnome-calculator. Malicious code will open Calculator.

To Reproduce
Just execute ShellUtils.isAlluxioRunning("qwert | /usr/bin/gnome-calculator") would reproduce it.

Urgency
Due to this vulnerability, any malicious code can be executed, so the impact is large.

Are you planning to fix it
I haven’t started working on PR yet and most likely I don’t plan to.

Additional context
For example if you have root rights you can execute ShellUtils.isAlluxioRunning("qwert | cd ../../../../../ | rm -rf /"), that all files in the system root directory have been deleted, which is extremely dangerous

[YichuanSun]

Good question, would you like to fix it? Thanks!