Re: [PR] AVRO-4236: [doc] Update security model for Avro IPC [avro]

Tue, 10 Mar 2026 09:30:36 -0700 


lf- commented on code in PR #3681:
URL: https://github.com/apache/avro/pull/3681#discussion_r2912990938


##########
doc/content/en/project/Security/_index.md:
##########
@@ -38,7 +38,8 @@ Security Model
 The Avro library implementations are designed to read and write any data 
conforming
 to a schema. Transport is outside the scope of the Avro library: applications 
using
 Avro should be surrounded by security measures that prevent attackers from 
writing
-random data and otherwise interfering with the consumers of schemas.
+random data and otherwise interfering with the consumers of schemas. In 
addition,
+the Avro IPC mechanism should not be exposed on a public network to untrusted 
actors.

Review Comment:
   i actually think that what separates gRPC from avro ipc is not any of these 
things. it's simply that it's implemented in a more hardened way. 
   
   avro ipc *could* work on untrusted networks if: 
   - protocol canonicalization actually worked (maybe by converting to a strict 
avro schema rather than JSON to remove language differences?)
     - clients couldn't send arbitrary length nonsense as protocol or non 
canonical things as protocol: less detail is admissible to send to servers (or 
it's squashed when it's received)
     - spec needs a lot more detail on how to canonicalize 100% consistently 
across languages
   - protocol caches couldn't be totally filled forever by one client: eviction 
mechanisms with sharding
   - protocol hashing were implemented properly as server side to prevent cache 
poisoning
     - or maybe you use a confluent schema registry but for protocols?
   - auditing were done for "allocating user controlled buffer lengths" and 
similar bugs
   
   these aren't intractable, and avro ipc looks very interesting to me! but the 
*implementations* just aren't designed for untrusted input today.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to