[PR] fix(schema): return Err instead of panicking on invalid name/alias/type-ref (#547) [avro-rs]

Sun, 31 May 2026 23:13:10 -0700 


youichi-uda opened a new pull request, #548:
URL: https://github.com/apache/avro-rs/pull/548

   ## What
   
   `Schema::parse_str` / `Schema::parse` panicked (instead of returning `Err`) 
when a schema's **alias**, **type reference**, or **nested type name** was not 
a valid Avro identifier. Three sites in `schema/parser.rs` called name 
constructors that already return `AvroResult` and then `unwrap()`-ed them:
   
   - `get_already_seen_schema` — `Name::new_with_enclosing_namespace(typ, 
ns).unwrap()`
   - `fix_aliases_namespace` — `Alias::new(alias).unwrap()`
   - `get_schema_type_name` — `Name::new(name).unwrap()`
   
   Because `parse_str` is a `Result`-returning public API, a caller's `?` / 
`map_err` cannot catch the unwind, so parsing untrusted schema JSON is a 
denial-of-service. This is the sibling of the `Name::parse` fix in #496 (which 
covered only the top-level `name` field).
   
   Fixes #547.
   
   ## Reproduction (before)
   
   ```rust
   let _ = 
apache_avro::Schema::parse_str(r#"{"type":"record","name":"R","aliases":[":"],"fields":[]}"#);
   // thread 'main' panicked at avro/src/schema/parser.rs:812:57:
   // called `Result::unwrap()` on an `Err` value: Invalid schema name :. ...
   ```
   
   Reproduces on `main` and on every release 0.17.0–0.21.0.
   
   ## How
   
   Propagate / gracefully handle the validation error instead of unwrapping:
   
   - **`get_already_seen_schema`** → `.ok()?`: an unparseable type name cannot 
match an already-seen schema, so treat it as "not seen"; the real validation 
error is still surfaced by the normal parse path.
   - **`fix_aliases_namespace`** → returns `AvroResult<Aliases>` and propagates 
(`?` added at the 3 call sites). An invalid alias is a schema error.
   - **`get_schema_type_name`** → `unwrap_or(name)`: fall back to the enclosing 
name, matching the existing `_ => name` arm.
   
   No public API change. `Schema::parse_str` already returns `AvroResult`; 
these inputs now return `Err` instead of panicking.
   
   ## Tests
   
   - New `tests/avro-rs-547.rs`: invalid aliases / nested names / type 
references all return `Err` (would panic before), plus a positive case ensuring 
valid namespace-qualified aliases still parse.
   - `cargo test -p apache-avro` (lib + integration) passes; `cargo fmt 
--check` and `cargo clippy` clean.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to