API: Harden variant binary parsing against malformed input#16568
Open
nssalian wants to merge 1 commit into
Open
API: Harden variant binary parsing against malformed input#16568nssalian wants to merge 1 commit into
nssalian wants to merge 1 commit into
Conversation
Co-authored-by: Steve Loughran <stevel@cloudera.com>
| return from(metadata, value, header, 0); | ||
| } | ||
|
|
||
| static SerializedArray from(VariantMetadata metadata, ByteBuffer value, int header, int depth) { |
Contributor
There was a problem hiding this comment.
could this be private?
| Preconditions.checkArgument( | ||
| offsetTableEnd <= value.remaining(), | ||
| "Invalid variant array: element count %s exceeds buffer", | ||
| numElements); |
Contributor
There was a problem hiding this comment.
I've just realised that this and the parquet-java hardening don't worry about leftover data. "don't do that" is implicit the policy there, being as it is useless.
I wonder what the rust parquet reader does.
|
|
||
| private VariantUtil() {} | ||
|
|
||
| static VariantValue fromBuffer(VariantMetadata metadata, ByteBuffer value, int depth) { |
Contributor
There was a problem hiding this comment.
add a javadoc, mention that the function includes validation, including depth limits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #16334
Addresses #16455
Summary
Validates malformed Variant binary input so adversarial buffers fail fast with
IllegalArgumentExceptioninstead of OOM,StackOverflowError, or raw JVM exceptions. Adds bounds checks across header, count, offset table,primitive payload, and short-string length, plus a 500-level nesting depth cap threaded through object/array recursive descent.
The approach mirrors Steve Loughran's parquet-java hardening work in apache/parquet-java#3562. Pulled in the changes from @steveloughran's #16335
Changes
SerializedMetadata,SerializedArray,SerializedObject: header / count / offset-table bounds, lazy per-element offset and field-id checks, long arithmetic to prevent int overflow.SerializedPrimitive: payload bounds, BIN/STR size-field bounds, non-negative size.SerializedShortString: length bounds.VariantUtil:MAX_VARIANT_DEPTH = 500andfromBufferdispatch threading depth through recursive descent.TestMalformedVariant: 20 attack-payload tests covering each new check.Test plan
./gradlew :iceberg-api:test --tests 'org.apache.iceberg.variants.*'