rdblue opened a new issue, #16466: URL: https://github.com/apache/iceberg/issues/16466
> This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution. > > Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them. # Summary BigQuery metastore state can point `metadata_location` at arbitrary Iceberg metadata, and later purge operations will delete files referenced by that foreign metadata. Once the catalog trusts that pointer, a routine `loadTable` or `refresh` reads foreign metadata with the catalog's `FileIO` credentials. If an operator later runs `dropTable(..., true)`, the same poisoned pointer drives deletion of whatever files the foreign metadata references. # Affected Maven coordinates * primary shipped client artifact: `org.apache.iceberg:iceberg-bigquery` # Attacker prerequisites * ability to create or modify BigQuery table metadata that the Iceberg BigQuery catalog will trust, especially `metadata_location` and `table_type` * catalog `FileIO` credentials that can reach the foreign metadata location and any files referenced from it # Impact * A principal that can create or modify BigQuery metastore table resources can point a table at any Iceberg metadata JSON reachable by the catalog's `FileIO` credentials. * A normal `loadTable` or `refresh` then becomes a read primitive against that location. * A later `dropTable(..., true)` becomes a delete primitive for all files referenced by that foreign metadata. # Proof status I reproduced this locally with a targeted reproducer or exploit. The observed result matches the trigger and impact described above. # Key source references * org.apache.iceberg.gcp.bigquery.BigQueryMetastoreClientImpl * org.apache.iceberg.gcp.bigquery.BigQueryTableOperations * org.apache.iceberg.BaseMetastoreTableOperations * org.apache.iceberg.gcp.bigquery.BigQueryMetastoreCatalog * org.apache.iceberg.io.ResolvingFileIO * org.apache.iceberg.CatalogUtil Current severity assessment [2]: Important [1] https://iceberg.apache.org/security/ [2] https://security.apache.org/blog/severityrating/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
