Copilot commented on code in PR #3525:
URL: https://github.com/apache/avro/pull/3525#discussion_r2447336979
##########
lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java:
##########
@@ -39,47 +37,20 @@
public class SpecificDatumReader<T> extends GenericDatumReader<T> {
/**
- * @deprecated prefer to use {@link #SERIALIZABLE_CLASSES} instead.
+ * @deprecated Use {@link SystemPropertiesPredicate} instead.
+ * @see ClassSecurityValidator
*/
@Deprecated
- public static final String[] SERIALIZABLE_PACKAGES;
-
- public static final String[] SERIALIZABLE_CLASSES;
-
- static {
- // no serializable classes by default
- SERIALIZABLE_CLASSES =
streamPropertyEntries(System.getProperty("org.apache.avro.SERIALIZABLE_CLASSES"))
- .toArray(String[]::new);
-
- // no serializable packages by default
- SERIALIZABLE_PACKAGES =
streamPropertyEntries(System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES"))
- // Add a '.' suffix to ensure we'll be matching package names instead
of
- // arbitrary prefixes, except for the wildcard "*", which allows all
- // packages (this is only safe in fully controlled environments!).
- .map(entry -> "*".equals(entry) ? entry : entry +
".").toArray(String[]::new);
- }
+ public static final String[] SERIALIZABLE_PACKAGES =
SystemPropertiesPredicate.SERIALIZABLE_PACKAGES
+ .toArray(new String[0]);
/**
- * Parse a comma separated list into non-empty entries. Leading and trailing
- * whitespace is stripped.
- *
- * @param commaSeparatedEntries the comma separated list of entries
- * @return a stream of the entries
+ * @deprecated Use {@link SystemPropertiesPredicate} instead.
+ * @see ClassSecurityValidator
*/
- private static Stream<String> streamPropertyEntries(String
commaSeparatedEntries) {
- if (commaSeparatedEntries == null) {
- return Stream.empty();
- }
- return
Stream.of(commaSeparatedEntries.split(",")).map(String::strip).filter(s ->
!s.isEmpty());
- }
-
- // The primitive "class names" based on Class.isPrimitive()
- private static final Set<String> PRIMITIVES = new
HashSet<>(Arrays.asList(Boolean.TYPE.getName(),
- Character.TYPE.getName(), Byte.TYPE.getName(), Short.TYPE.getName(),
Integer.TYPE.getName(), Long.TYPE.getName(),
- Float.TYPE.getName(), Double.TYPE.getName(), Void.TYPE.getName()));
-
- private final List<String> trustedPackages = new ArrayList<>();
- private final List<String> trustedClasses = new ArrayList<>();
+ @Deprecated
+ public static final String[] SERIALIZABLE_CLASSES =
SystemPropertiesPredicate.SERIALIZABLE_PACKAGES
Review Comment:
The `SERIALIZABLE_CLASSES` constant is incorrectly initialized with
`SERIALIZABLE_PACKAGES` instead of `SERIALIZABLE_CLASSES`. This should be
`SystemPropertiesPredicate.SERIALIZABLE_CLASSES.toArray(new String[0])`.
```suggestion
public static final String[] SERIALIZABLE_CLASSES =
SystemPropertiesPredicate.SERIALIZABLE_CLASSES
```
##########
lang/java/avro/src/main/java/org/apache/avro/util/ClassUtils.java:
##########
@@ -92,7 +92,10 @@ private static Class<?> forName(String className,
ClassLoader classLoader) {
Class<?> c = null;
if (classLoader != null && className != null) {
try {
- c = Class.forName(className, true, classLoader);
+ // Load the class without initializing it so we can distinguish between
+ // ClassNotFoundException and SecurityException may be thrown by the
validator.
Review Comment:
[nitpick] Corrected grammar in the comment: 'ClassNotFoundException and
SecurityException may be thrown' should be 'ClassNotFoundException and
SecurityException that may be thrown'.
```suggestion
// ClassNotFoundException and SecurityException that may be thrown
by the validator.
```
##########
lang/java/avro/src/main/java/org/apache/avro/util/ClassSecurityValidator.java:
##########
@@ -0,0 +1,254 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.avro.util;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.NavigableSet;
+import java.util.Objects;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+/**
+ * Validates that a class is trusted to be included in Avro schemas. To be used
+ * by {@link ClassUtils} which therefore automatically guards not only the
+ * loading of the classes but, since the class names are translated into
+ * {@link Class} objects by using {@link ClassUtils}, also guards any other
+ * reflection-based mechanisms (e.g. instantiation, setting internal
variables).
+ *
+ * @see #setGlobal(ClassSecurityPredicate)
+ * @see #getGlobal()
+ */
+public final class ClassSecurityValidator {
+
+ /**
+ * Validates that the class is trusted to be included in Avro schemas.
+ *
+ * <p>
+ * Note: this method shall be invoked with un-initialized classes only to
+ * prevent any potential security issues the initialization may trigger.
+ *
+ * @param clazz the class to validate
+ * @throws SecurityException if the class is not trusted
+ */
+ public static void validate(Class<?> clazz) {
+ while (clazz.isArray()) {
+ clazz = clazz.getComponentType();
+ }
+ if (clazz.isPrimitive()) {
+ return;
+ }
+ if (!globalInstance.isTrusted(clazz)) {
+ globalInstance.forbiddenClass(clazz.getName());
+ }
+ }
+
+ /**
+ * Sets the global {@link ClassSecurityPredicate} that is used by
+ * {@link ClassUtils} to validate the trusted classes.
+ *
+ * @param validator the validator to use
+ */
+ public static void setGlobal(ClassSecurityPredicate validator) {
+ globalInstance = Objects.requireNonNull(validator);
+ }
+
+ /**
+ * Returns the global {@link ClassSecurityPredicate} that is used by
+ * {@link ClassUtils} to validate the trusted classes.
+ *
+ * @return the global validator
+ */
+ public static ClassSecurityPredicate getGlobal() {
+ return globalInstance;
+ }
+
+ private ClassSecurityValidator() {
+ }
+
+ /**
+ * A predicate that checks if a class is trusted to be included in Avro
schemas.
+ */
+ public interface ClassSecurityPredicate {
+ /**
+ * Checks if the class is trusted to be included in Avro schemas.
+ *
+ * @param clazz the class to check
+ * @return true if the class is trusted, false otherwise
+ */
+ boolean isTrusted(Class<?> clazz);
+
+ /**
+ * Throws a {@link SecurityException} with a message indicating that the
class
+ * is not trusted to be included in Avro schemas.
+ *
+ * @param className the name of the class that is not trusted
+ */
+ default void forbiddenClass(String className) {
+ throw new SecurityException("Forbidden " + className + "! This class is
not trusted to be included in Avro "
+ + "schemas. You may either use the system properties
org.apache.avro.SERIALIZABLE_CLASSES and "
+ + "org.apache.avro.SERIALIZABLE_PACKAGES to set the comma separated
list of the classes or packages you trust, "
+ + "or you can set them via the API (see
org.apache.avro.util.ReflectDataValidator).");
Review Comment:
The error message references `org.apache.avro.util.ReflectDataValidator`,
which doesn't exist in the codebase. This should reference
`org.apache.avro.util.ClassSecurityValidator` instead.
```suggestion
+ "or you can set them via the API (see
org.apache.avro.util.ClassSecurityValidator).");
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
