DanielCarter-stack commented on PR #10493:
URL: https://github.com/apache/seatunnel/pull/10493#issuecomment-3899796746
<!-- code-pr-reviewer -->
<!-- cpr:pr_reply_v2_parts {"group": "apache/seatunnel#10493", "part": 1,
"total": 1} -->
### Issue 1: Version inconsistency causes potential class loading conflicts
**Location**:
`seatunnel-connectors-v2/connector-cdc/connector-cdc-mongodb/pom.xml:33`
**Related context**:
- Root pom.xml: `<avro.version>1.11.1</avro.version>`
- connector-iceberg/pom.xml: `<avro.version>1.11.3</avro.version>`
- connector-cdc-mongodb/pom.xml: `<avro.version>1.11.5</avro.version>` (This
change)
**Problem description**:
There are multiple different versions of Avro within the project. If users
use the following in the same SeaTunnel task:
- MongoDB CDC Connector (uses Avro 1.11.5)
- Iceberg Connector (uses Avro 1.11.3)
- Format-Avro (uses Avro 1.11.1)
In cases where classloader isolation is not perfect, the following may occur:
- ClassNotFoundException
- NoSuchMethodError
- Inconsistent behavior
**Potential risks**:
- **Risk 1**: Multiple Avro versions coexisting may cause class loading
conflicts
- **Risk 2**: Different behavior depending on class loading order, making
debugging difficult
- **Risk 3**: Uncertainty in production environments
**Scope of impact**:
- **Direct impact**: Users using multiple Connectors simultaneously
- **Indirect impact**: Consistency of SeaTunnel dependency management
- **Impact surface**: Multiple Connectors / core dependency management
**Severity**: **Medium**
**Improvement suggestions**:
It is recommended to create a tracking Issue to unify all modules' Avro
version to 1.11.5:
1. Upgrade `avro.version` in root pom.xml to 1.11.5
2. Remove duplicate `avro.version` property definitions in each sub-module
3. Ensure all modules use a unified Avro version
**Reasoning**:
- This is not a problem introduced by this PR, but this PR exacerbates the
version inconsistency
- Unified version management is a best practice for Maven projects
- Reduces class loading issues users encounter in production environments
---
### Issue 2: Missing security testing for CVE-2024-47561
**Location**:
`seatunnel-connectors-v2/connector-cdc/connector-cdc-mongodb/src/test/`
**Related context**:
- `MongodbRecordUtils.java:143` - Avro schema parsing call site
- `MongodbRecordUtils.java:151` - Another Avro schema parsing call site
**Problem description**:
The current test suite lacks verification of Avro schema parsing security.
The attack vector for CVE-2024-47561 is maliciously crafted Avro schemas, but
existing tests do not verify:
- Malicious schemas are properly rejected
- Malicious data does not lead to code execution
- Exception handling mechanisms can catch and report exceptions
**Potential risks**:
- **Risk 1**: Unable to verify whether security vulnerabilities are truly
fixed
- **Risk 2**: Future changes may reintroduce similar vulnerabilities
- **Risk 3**: Lack of evidence during security audits
**Scope of impact**:
- **Direct impact**: Security verification of MongoDB CDC Connector
- **Indirect impact**: Credibility of SeaTunnel's overall security posture
- **Impact surface**: Single Connector
**Severity**: **Medium**
**Improvement suggestions**:
Add security test cases:
```java
@Test
public void testMaliciousAvroSchemaRejection() {
// Simulate malicious Avro schema
String maliciousSchema =
"{\"type\":\"record\",\"name\":\"Exploit\",\"fields\":["
+
"{\"name\":\"cmd\",\"type\":[\"null\",{\"type\":\"map\",\"values\":\"string\"}]}"
+ "]}";
// Verify correct rejection
assertThrows(SchemaParseException.class, () -> {
AvroSchema.fromJson(maliciousSchema);
});
}
```
**Reasoning**:
- Security fixes require test verification
- Provides regression test protection
- Meets Apache project security standards
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
