[ https://issues.apache.org/jira/browse/AVRO-3985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842987#comment-17842987 ]
Jean-Baptiste Onofré commented on AVRO-3985: -------------------------------------------- Sorry if I wasn't clear. I'm working on a PR right now. > Restrict trusted packages in ReflectData and SpecificData > --------------------------------------------------------- > > Key: AVRO-3985 > URL: https://issues.apache.org/jira/browse/AVRO-3985 > Project: Apache Avro > Issue Type: Improvement > Components: java > Reporter: Jean-Baptiste Onofré > Priority: Major > Fix For: 1.12.0, 1.11.4 > > > Right now, there's no check in allowed packages in {{ReflectData}} and > {{{}SpecificData{}}}. > That could be problematic for marshalling/unmarshalling, as the as malicious > payload can exploit the host system. > I propose to introduce a {{org.apache.avro.TRUSTED_PACKAGES}} system property: > {code:java} > -Dorg.apache.avro.TRUSTED_PACKAGES=java.lang,javax.security,java.util,...{code} > In case we want to shortcut the mechanism, we would be able to allow all > packages to be trusted using {{*}} wildcard: > {code:java} > -Dorg.apache.avro.TRUSTED_PACKAGES=*{code} > By default, I would recommend to have limited trusted packages: > {{{}java.lang,javax.security,java.util,org.apache.avro{}}}. -- This message was sent by Atlassian Jira (v8.20.10#820010)