Thanks for the feedback. Now that I have spent some more time on the code it seems that the potential security issues (that are already covered by the latest CVE fix) is not only related to the reflect feature. The issue is with the properties "java-class" and "java-key-class" in the avro schema that is written into the Parquet file. Both the specific and the reflect data models use these properties. So, the removal of the reflect data model would not save us from the requirement of guarding the system from loading/instantiating arbitrary classes that reference come from the Parquet file directly.
Gabor Ryan Blue <[email protected]> ezt írta (időpont: 2025. ápr. 14., H, 17:31): > +1 for removing the reflect functionality. > > On Mon, Apr 14, 2025 at 7:49 AM Steve Loughran <[email protected] > > > wrote: > > > +1 for cutting. > > > > even with the restricted package list, there's still vulnerabilities -or > > the risk of some. As an example, when your go new URL("http// > > somehostname.exampl.org"), that triggers an nslookup of " > > somehostname.example.org". This means it is leaking information, even if > > not an RCE > > > > On Mon, 14 Apr 2025 at 10:35, Fokko Driesprong <[email protected]> wrote: > > > > > Hey Gábor, > > > > > > Thanks for bringing this up, and I would be in favor of removing it > > because > > > of the security implications. I've created a draft PR > > > <https://github.com/apache/parquet-java/pull/3192> to locally publish > > the > > > artifact with reflect missing. With this version, I've tested against > the > > > Iceberg codebase, and it looks like we don't rely on that part. > > > > > > Kind regards, > > > Fokko Driesprong > > > > > > Op ma 14 apr 2025 om 09:24 schreef Gábor Szádovszky <[email protected] > >: > > > > > > > Dear Parquet devs/users, > > > > > > > > In the light of the recent security concerns about the parquet-avro > > > reflect > > > > feature (see CVE-2025-30065), a would like to start a discussion > about > > > its > > > > deprecation in the next minor parquet-java release, and the removal > in > > > the > > > > next major release. > > > > > > > > The parquet-avro module [1] in parquet-java is to use the Avro data > > model > > > > for reading/writing Parquet data. The reflect feature is to support > > > mapping > > > > Parquet data to arbitrary Java objects via reflection. > > > > The two additional mapping solutions (code generation and the generic > > > API) > > > > would remain supported in parquet-java. > > > > > > > > Cheers, > > > > Gabor > > > > > > > > [1] https://github.com/apache/parquet-java/tree/master/parquet-avro > > > > > > > > > >
