Skip to content

Remove the default serializable packages and deprecated the property to introduce org.apache.avro.SERIALIZABLE_CLASSES instead #3376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nandorKollar merged 1 commit into from
May 19, 2025
Merged

Remove the default serializable packages and deprecated the property to introduce org.apache.avro.SERIALIZABLE_CLASSES instead #3376

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions lang/java/avro/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<parallel>none</parallel>
<systemProperties>
<org.apache.avro.SERIALIZABLE_CLASSES>java.math.BigDecimal,java.math.BigInteger,java.net.URI,java.net.URL,java.io.File,java.lang.Integer,org.apache.avro.reflect.TestReflect$R10</org.apache.avro.SERIALIZABLE_CLASSES>
</systemProperties>
</configuration>
<executions>
<execution>
Expand Down
62 changes: 46 additions & 16 deletions lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,25 +23,45 @@
import org.apache.avro.generic.GenericDatumReader;
import org.apache.avro.io.ResolvingDecoder;
import org.apache.avro.util.ClassUtils;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.HashSet;
import java.util.Set;

/**
* {@link org.apache.avro.io.DatumReader DatumReader} for generated Java
* classes.
*/
public class SpecificDatumReader<T> extends GenericDatumReader<T> {

/**
* @deprecated prefer to use SERIALIZABLE_CLASSES instead.
*/
@Deprecated
public static final String[] SERIALIZABLE_PACKAGES;

public static final String[] SERIALIZABLE_CLASSES;

static {
SERIALIZABLE_PACKAGES = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES",
"java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(",");
// no serializable classes by default
String serializableClassesProp = System.getProperty("org.apache.avro.SERIALIZABLE_CLASSES");
SERIALIZABLE_CLASSES = (serializableClassesProp == null) ? new String[0] : serializableClassesProp.split(",");

// no serializable packages by default
String serializablePackagesProp = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES");
SERIALIZABLE_PACKAGES = (serializablePackagesProp == null) ? new String[0] : serializablePackagesProp.split(",");
}

// The primitive "class names" based on Class.isPrimitive()
private static final Set<String> PRIMITIVES = new HashSet<>(Arrays.asList(Boolean.TYPE.getName(),
Character.TYPE.getName(), Byte.TYPE.getName(), Short.TYPE.getName(), Integer.TYPE.getName(), Long.TYPE.getName(),
Float.TYPE.getName(), Double.TYPE.getName(), Void.TYPE.getName()));

private final List<String> trustedPackages = new ArrayList<>();
private final List<String> trustedClasses = new ArrayList<>();

public SpecificDatumReader() {
this(null, null, SpecificData.get());
Expand Down Expand Up @@ -69,12 +89,14 @@
public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) {
super(writer, reader, data);
trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
trustedClasses.addAll(Arrays.asList(SERIALIZABLE_CLASSES));
}

/** Construct given a {@link SpecificData}. */
public SpecificDatumReader(SpecificData data) {
super(data);
trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
trustedClasses.addAll(Arrays.asList(SERIALIZABLE_CLASSES));
}

/** Return the contained {@link SpecificData}. */
Expand Down Expand Up @@ -116,8 +138,8 @@
if (name == null)
return null;
try {
checkSecurity(name);
Class clazz = ClassUtils.forName(getData().getClassLoader(), name);
checkSecurity(clazz);
return clazz;
} catch (ClassNotFoundException e) {
throw new AvroRuntimeException(e);
Expand All @@ -128,31 +150,39 @@
return (trustedPackages.size() == 1 && "*".equals(trustedPackages.get(0)));
}

private void checkSecurity(Class clazz) throws ClassNotFoundException {
if (trustAllPackages() || clazz.isPrimitive()) {
private void checkSecurity(String className) throws ClassNotFoundException {
if (trustAllPackages() || PRIMITIVES.contains(className)) {
return;
}

boolean found = false;
Package thePackage = clazz.getPackage();
if (thePackage != null) {
for (String trustedPackage : getTrustedPackages()) {
if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) {
found = true;
break;
}
for (String trustedClass : getTrustedClasses()) {
if (className.equals(trustedClass)) {
return;
}
}
if (!found) {
throw new SecurityException("Forbidden " + clazz
+ "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust.");

for (String trustedPackage : getTrustedPackages()) {

Check notice

Code scanning / CodeQL

Deprecated method or constructor invocation Note

Invoking
SpecificDatumReader.getTrustedPackages
Loading
should be avoided because it has been deprecated.
if (className.startsWith(trustedPackage)) {
return;
}
}

throw new SecurityException("Forbidden " + className
+ "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_CLASSES system property with the class you trust or org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust.");
}

/**
* @deprecated Use getTrustedClasses() instead
*/
@Deprecated
public final List<String> getTrustedPackages() {
return trustedPackages;
}

public final List<String> getTrustedClasses() {
return trustedClasses;
}

@Override
protected Object readRecord(Object old, Schema expected, ResolvingDecoder in) throws IOException {
SpecificData data = getSpecificData();
Expand Down
1 change: 1 addition & 0 deletions lang/java/avro/src/test/java/org/apache/avro/reflect/TestReflect.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -615,6 +615,7 @@ void checkReadWrite(Object object) throws Exception {
}

void checkReadWrite(Object object, Schema s) throws Exception {

ReflectDatumWriter<Object> writer = new ReflectDatumWriter<>(s);
ByteArrayOutputStream out = new ByteArrayOutputStream();
writer.write(object, factory.directBinaryEncoder(out, null));
Expand Down
3 changes: 3 additions & 0 deletions lang/java/ipc/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@
<forkCount>1</forkCount>
<reuseForks>false</reuseForks>
<parallel>none</parallel>
<systemProperties>
<org.apache.avro.SERIALIZABLE_CLASSES>java.math.BigDecimal,java.math.BigInteger</org.apache.avro.SERIALIZABLE_CLASSES>
</systemProperties>
</configuration>
</plugin>
<plugin>
Expand Down