Do you want to send a PR ? On Mon, 6 Jan 2025 at 12:15, MichalFoksa (via GitHub) <g...@apache.org> wrote:
> > MichalFoksa commented on code in PR #2934: > URL: https://github.com/apache/avro/pull/2934#discussion_r1903966434 > > > ########## > > lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java: > ########## > @@ -101,12 +115,43 @@ private Class getPropAsClass(Schema schema, String > prop) { > if (name == null) > return null; > try { > - return ClassUtils.forName(getData().getClassLoader(), name); > + Class clazz = ClassUtils.forName(getData().getClassLoader(), name); > + checkSecurity(clazz); > + return clazz; > } catch (ClassNotFoundException e) { > throw new AvroRuntimeException(e); > } > } > > + private boolean trustAllPackages() { > + return (trustedPackages.size() == 1 && > "*".equals(trustedPackages.get(0))); > + } > + > + private void checkSecurity(Class clazz) throws ClassNotFoundException { > + if (trustAllPackages() || clazz.isPrimitive()) { > + return; > + } > + > + boolean found = false; > + Package thePackage = clazz.getPackage(); > + if (thePackage != null) { > > Review Comment: > @Fokko or @martin-g > When a class is not in any package `clazz.getPackage()` returns null > and this condition renders that class trusty. > > Move `if (!found) throw new SecurityException` out of the loop. > > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: issues-unsubscr...@avro.apache.org > > For queries about this service, please contact Infrastructure at: > us...@infra.apache.org > >
