nandorKollar commented on code in PR #3376:
URL: https://github.com/apache/avro/pull/3376#discussion_r2080529075
##########
lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java:
##########
@@ -133,6 +148,12 @@ private void checkSecurity(Class clazz) throws
ClassNotFoundException {
return;
}
+ for (String trustedClass : getTrustedClasses()) {
Review Comment:
Can we maybe perform this security check before loading the class? Instead
of
```
Class clazz = ClassUtils.forName(getData().getClassLoader(), name);
checkSecurity(clazz);
```
we can do
```
checkSecurity(name);
Class clazz = ClassUtils.forName(getData().getClassLoader(), name);
```
Eventually, we can tell the result of the security check by inspecting the
name of the class, there's no need to load it with the ClassLoader no? Appears
that a similar approach was taken in Parquet too.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
