AVRO-3985: Add trusted packages support in SpecificData (#2934)

* AVRO-3985: Add trusted packages support in SpecificData

* Apply suggestions from code review

Co-authored-by: Martin Grigorov <martin-g@users.noreply.github.com>

* Move to SecurityException

* Remove redundant import

---------

Co-authored-by: Fokko Driesprong <fokko@apache.org>
Co-authored-by: Martin Grigorov <martin-g@users.noreply.github.com>

Author: 3 people

lang/java/avro/src/main/java/org/apache/avro/reflect/ReflectData.java

@@ -429,16 +429,6 @@ private FieldAccessor getFieldAccessor(Class<?> c, String fieldName) {
     return null;
   }
 
-  /** @deprecated Replaced by {@link SpecificData#CLASS_PROP} */
-  @Deprecated
-  static final String CLASS_PROP = "java-class";
-  /** @deprecated Replaced by {@link SpecificData#KEY_CLASS_PROP} */
-  @Deprecated
-  static final String KEY_CLASS_PROP = "java-key-class";
-  /** @deprecated Replaced by {@link SpecificData#ELEMENT_PROP} */
-  @Deprecated
-  static final String ELEMENT_PROP = "java-element-class";
-
   private static final Map<String, Class> CLASS_CACHE = new ConcurrentHashMap<>();
 
   static Class getClassProp(Schema schema, String prop) {

lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java

@@ -24,12 +24,25 @@
 import org.apache.avro.io.ResolvingDecoder;
 import org.apache.avro.util.ClassUtils;
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
 /**
  * {@link org.apache.avro.io.DatumReader DatumReader} for generated Java
  * classes.
  */
 public class SpecificDatumReader<T> extends GenericDatumReader<T> {
+
+  public static final String[] SERIALIZABLE_PACKAGES;
+
+  static {
+    SERIALIZABLE_PACKAGES = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES",
+        "java.lang,java.math,java.io,java.net,org.apache.avro.reflect").split(",");
+  }
+
+  private final List<String> trustedPackages = new ArrayList<>();
+
   public SpecificDatumReader() {
     this(null, null, SpecificData.get());
   }
@@ -55,6 +68,7 @@ public SpecificDatumReader(Schema writer, Schema reader) {
    */
   public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) {
     super(writer, reader, data);
+    trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
   }
 
   /** Construct given a {@link SpecificData}. */
@@ -101,12 +115,43 @@ private Class getPropAsClass(Schema schema, String prop) {
     if (name == null)
       return null;
     try {
-      return ClassUtils.forName(getData().getClassLoader(), name);
+      Class clazz = ClassUtils.forName(getData().getClassLoader(), name);
+      checkSecurity(clazz);
+      return clazz;
     } catch (ClassNotFoundException e) {
       throw new AvroRuntimeException(e);
     }
   }
 
+  private boolean trustAllPackages() {
+    return (trustedPackages.size() == 1 && "*".equals(trustedPackages.get(0)));
+  }
+
+  private void checkSecurity(Class clazz) throws ClassNotFoundException {
+    if (trustAllPackages() || clazz.isPrimitive()) {
+      return;
+    }
+
+    boolean found = false;
+    Package thePackage = clazz.getPackage();
+    if (thePackage != null) {
+      for (String trustedPackage : getTrustedPackages()) {
+        if (thePackage.getName().equals(trustedPackage) || thePackage.getName().startsWith(trustedPackage + ".")) {
+          found = true;
+          break;
+        }
+      }
+      if (!found) {
+        throw new SecurityException("Forbidden " + clazz
+            + "! This class is not trusted to be included in Avro schema using java-class. Please set org.apache.avro.SERIALIZABLE_PACKAGES system property with the packages you trust.");
+      }
+    }
+  }
+
+  public final List<String> getTrustedPackages() {
+    return trustedPackages;
+  }
+
   @Override
   protected Object readRecord(Object old, Schema expected, ResolvingDecoder in) throws IOException {
     SpecificData data = getSpecificData();