From 5775ec66095494c6c712b0bc46c2692e179d2b6d Mon Sep 17 00:00:00 2001
From: sahvx655-wq <sahvx655@gmail.com>
Date: Tue, 2 Jun 2026 11:56:27 +0530
Subject: [PATCH] avoid running static initializers in CursorFactory.fromProto

---
 core/src/main/java/org/apache/calcite/avatica/Meta.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/calcite/avatica/Meta.java b/core/src/main/java/org/apache/calcite/avatica/Meta.java
index a4f45c6bcb..83de22822d 100644
--- a/core/src/main/java/org/apache/calcite/avatica/Meta.java
+++ b/core/src/main/java/org/apache/calcite/avatica/Meta.java
@@ -722,7 +722,10 @@ public static CursorFactory fromProto(Common.CursorFactory proto) {
 
       if (proto.hasField(CLASS_NAME_DESCRIPTOR)) {
         try {
-          clz = Class.forName(proto.getClassName());
+          // Resolve without initializing: a server parsing this from an untrusted
+          // client must not run the named class's static initializer.
+          clz = Class.forName(proto.getClassName(), false,
+              CursorFactory.class.getClassLoader());
         } catch (ClassNotFoundException e) {
           throw new RuntimeException(e);
         }