KalleOlaviNiemitalo commented on code in PR #3403: URL: https://github.com/apache/avro/pull/3403#discussion_r2148252385
########## doc/content/en/project/Security/_index.md: ########## @@ -26,4 +26,40 @@ manualLink: https://www.apache.org/security/ --> -Apache Avro project shares the same security policy as the [Apache Software Foundation](https://www.apache.org/security/) +Security Policy +=============== + +Apache Avro project shares the same security policy as +the [Apache Software Foundation](https://www.apache.org/security/). + + +Security Model +============== + +The Avro library implementations are designed to read and write any data conforming +to a schema. Transport is outside the scope of the Avro library: applications using +Avro should be surrounded by security measures that prevent attackers from writing +random data and otherwise interfering with the consumers of schemas. + +Although the Avro library will not read or write data except as directed to by +invoking it, avoiding leaking data into a side channel like log files is a non-goal +security-wise for Avro. This means, for example, that you will need to catch and +handle exceptions instead of simply writing them to a log file. + +In some cases, like schema parsing, type conversions and based on explicit schema +properties, Avro can execute code provided by the environment. Avro has opt-in +mechanisms for code that is eligible for execution. Applications using Avro should +have a secured supply chain, ensuring code registered to be executed is safe. This +supply chain also includes the schemas being used: if they are user provided, +additional validation is strongly advised. Review Comment: It would be convenient if the Avro libraries ensured that it is safe to parse an arbitrary schema, as long as no data is encoded or decoded using the schema. That would allow applications to implement the "additional validation" on the pre-parsed schema, rather than requiring separate hardened parsers for Avro schemas in JSON and IDL formats just for validation purposes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
