+1 for cutting.
even with the restricted package list, there's still vulnerabilities -or
the risk of some. As an example, when your go new URL("http//
somehostname.exampl.org"), that triggers an nslookup of "
somehostname.example.org". This means it is leaking information, even if
not an RCE
On Mon, 14 Apr 2025 at 10:35, Fokko Driesprong <fo...@apache.org> wrote:
> Hey Gábor,
>
> Thanks for bringing this up, and I would be in favor of removing it because
> of the security implications. I've created a draft PR
> <https://github.com/apache/parquet-java/pull/3192> to locally publish the
> artifact with reflect missing. With this version, I've tested against the
> Iceberg codebase, and it looks like we don't rely on that part.
>
> Kind regards,
> Fokko Driesprong
>
> Op ma 14 apr 2025 om 09:24 schreef Gábor Szádovszky <ga...@apache.org>:
>
> > Dear Parquet devs/users,
> >
> > In the light of the recent security concerns about the parquet-avro
> reflect
> > feature (see CVE-2025-30065), a would like to start a discussion about
> its
> > deprecation in the next minor parquet-java release, and the removal in
> the
> > next major release.
> >
> > The parquet-avro module [1] in parquet-java is to use the Avro data model
> > for reading/writing Parquet data. The reflect feature is to support
> mapping
> > Parquet data to arbitrary Java objects via reflection.
> > The two additional mapping solutions (code generation and the generic
> API)
> > would remain supported in parquet-java.
> >
> > Cheers,
> > Gabor
> >
> > [1] https://github.com/apache/parquet-java/tree/master/parquet-avro
> >
>
