+1 for removing the reflect functionality.
On Mon, Apr 14, 2025 at 7:49 AM Steve Loughran <ste...@cloudera.com.invalid>
wrote:
> +1 for cutting.
>
> even with the restricted package list, there's still vulnerabilities -or
> the risk of some. As an example, when your go new URL("http//
> somehostname.exampl.org"), that triggers an nslookup of "
> somehostname.example.org". This means it is leaking information, even if
> not an RCE
>
> On Mon, 14 Apr 2025 at 10:35, Fokko Driesprong <fo...@apache.org> wrote:
>
> > Hey Gábor,
> >
> > Thanks for bringing this up, and I would be in favor of removing it
> because
> > of the security implications. I've created a draft PR
> > <https://github.com/apache/parquet-java/pull/3192> to locally publish
> the
> > artifact with reflect missing. With this version, I've tested against the
> > Iceberg codebase, and it looks like we don't rely on that part.
> >
> > Kind regards,
> > Fokko Driesprong
> >
> > Op ma 14 apr 2025 om 09:24 schreef Gábor Szádovszky <ga...@apache.org>:
> >
> > > Dear Parquet devs/users,
> > >
> > > In the light of the recent security concerns about the parquet-avro
> > reflect
> > > feature (see CVE-2025-30065), a would like to start a discussion about
> > its
> > > deprecation in the next minor parquet-java release, and the removal in
> > the
> > > next major release.
> > >
> > > The parquet-avro module [1] in parquet-java is to use the Avro data
> model
> > > for reading/writing Parquet data. The reflect feature is to support
> > mapping
> > > Parquet data to arbitrary Java objects via reflection.
> > > The two additional mapping solutions (code generation and the generic
> > API)
> > > would remain supported in parquet-java.
> > >
> > > Cheers,
> > > Gabor
> > >
> > > [1] https://github.com/apache/parquet-java/tree/master/parquet-avro
> > >
> >
>
