(cache)[AVRO-3985] Restrict trusted packages in ReflectData and SpecificData - ASF JIRA

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.12.0, 1.11.4
Component/s: java
Labels:
- pull-request-available

Description

Right now, there's no check in allowed packages in ReflectData and SpecificData.

That could be problematic for marshalling/unmarshalling, as the as malicious payload can exploit the host system.

I propose to introduce a org.apache.avro.TRUSTED_PACKAGES system property:

-Dorg.apache.avro.TRUSTED_PACKAGES=my.package,my.other.package,...

In case we want to shortcut the mechanism, we would be able to allow all packages to be trusted using * wildcard:

-Dorg.apache.avro.TRUSTED_PACKAGES=*

By default, I would recommend to have limited trusted packages: java.lang,javax.security,java.util,org.apache.avro.

Attachments

Issue Links

links to

GitHub Pull Request #2934

GitHub Pull Request #2980

GitHub Pull Request #3311

GitHub Pull Request #3330

GitHub Pull Request #3333

Activity

Ascending order - Click to sort in descending order

Oscar Westra van Holthe - Kind added a comment - 02/May/24 13:43

I'm confused... one the one hand, the org.apache.avro.TRUSTED_PACKAGES property seems to be a whitelist of packages we allow to be used.

However, this does not match with the suggested value of "java.lang,javax.security,java.util,org.apache.avro", as these are are packages I think users are not allowed to use.

Is the intent to ensure we allow reflection in ReflectData and SpecificData to only use trusted packages?

Oscar Westra van Holthe - Kind added a comment - 02/May/24 13:43 I'm confused... one the one hand, the org.apache.avro.TRUSTED_PACKAGES property seems to be a whitelist of packages we allow to be used. However, this does not match with the suggested value of "java.lang,javax.security,java.util,org.apache.avro" , as these are are packages I think users are not allowed to use. Is the intent to ensure we allow reflection in ReflectData and SpecificData to only use trusted packages?

Jean-Baptiste Onofré added a comment - 02/May/24 13:51 - edited

opwvhk I'm proposing the opposite: don't trust any package by default and "invite" the user to clearly state the packages he trusts.

For the context, I did a similar implementation in ActiveMQ (https://activemq.apache.org/components/classic/documentation/objectmessage).

Jean-Baptiste Onofré added a comment - 02/May/24 13:51 - edited opwvhk I'm proposing the opposite: don't trust any package by default and "invite" the user to clearly state the packages he trusts. For the context, I did a similar implementation in ActiveMQ ( https://activemq.apache.org/components/classic/documentation/objectmessage ).

Oscar Westra van Holthe - Kind added a comment - 02/May/24 14:25

Yes, that's what I thought. But the first example is to allow packages a user is not supposed to use for their data...

Oscar Westra van Holthe - Kind added a comment - 02/May/24 14:25 Yes, that's what I thought. But the first example is to allow packages a user is not supposed to use for their data...

Jean-Baptiste Onofré added a comment - 02/May/24 14:30 - edited

Sorry if I wasn't clear. I'm working on a PR right now.

I've updated the Jira description to avoid confusion.

Jean-Baptiste Onofré added a comment - 02/May/24 14:30 - edited Sorry if I wasn't clear. I'm working on a PR right now. I've updated the Jira description to avoid confusion.

ASF subversion and git services added a comment - 04/Jul/24 12:47

Commit f6b3bd7e50e6e09fedddb98c61558c022ba31285 in avro's branch refs/heads/dependabot/cargo/lang/rust/env_logger-0.11.3 from JB Onofré
[ https://gitbox.apache.org/repos/asf?p=avro.git;h=f6b3bd7e5 ]

~~AVRO-3985~~: Add trusted packages support in SpecificData (#2934)

~~AVRO-3985~~: Add trusted packages support in SpecificData

Apply suggestions from code review

Co-authored-by: Martin Grigorov <martin-g@users.noreply.github.com>

Move to SecurityException

Remove redundant import

---------

Co-authored-by: Fokko Driesprong <fokko@apache.org>
Co-authored-by: Martin Grigorov <martin-g@users.noreply.github.com>

ASF subversion and git services added a comment - 04/Jul/24 12:47 Commit f6b3bd7e50e6e09fedddb98c61558c022ba31285 in avro's branch refs/heads/dependabot/cargo/lang/rust/env_logger-0.11.3 from JB Onofré [ https://gitbox.apache.org/repos/asf?p=avro.git;h=f6b3bd7e5 ] AVRO-3985 : Add trusted packages support in SpecificData (#2934) AVRO-3985 : Add trusted packages support in SpecificData Apply suggestions from code review Co-authored-by: Martin Grigorov <martin-g@users.noreply.github.com> Move to SecurityException Remove redundant import --------- Co-authored-by: Fokko Driesprong <fokko@apache.org> Co-authored-by: Martin Grigorov <martin-g@users.noreply.github.com>

ASF subversion and git services added a comment - 22/Mar/25 01:35

Commit 46ea9330b9e533aef0b14ed09e39479e1cf786c0 in avro's branch refs/heads/main from JB Onofré
[ https://gitbox.apache.org/repos/asf?p=avro.git;h=46ea9330b ]

~~AVRO-3985~~: Apply trusted packages check on SpecificDatumReader(data) constructor (#3330)

ASF subversion and git services added a comment - 22/Mar/25 01:35 Commit 46ea9330b9e533aef0b14ed09e39479e1cf786c0 in avro's branch refs/heads/main from JB Onofré [ https://gitbox.apache.org/repos/asf?p=avro.git;h=46ea9330b ] AVRO-3985 : Apply trusted packages check on SpecificDatumReader(data) constructor (#3330)

People

Assignee:: Unassigned

Reporter:: Jean-Baptiste Onofré

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02/May/24 12:05

Updated:: 25/Mar/25 06:00

Resolved:: 24/Jun/24 20:38

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

7h 10m

Apache Avro