From 60808c86e8fefdfa8a616d77560020ebd5dbbf42 Mon Sep 17 00:00:00 2001 From: Micah Kornfield Date: Thu, 2 Jul 2026 19:44:43 +0000 Subject: [PATCH 1/6] Add SECURITY.md --- SECURITY.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..d82bab6154 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,34 @@ +# Security + +## Reporting a Vulnerability + +Please report suspected vulnerabilities privately to the Parquet Project Management +Committee at private@parquet.apache.org. Do **not** file a public GitHub issue or pull +request for a suspected vulnerability, as that would disclose it before a fix is available. + +When reporting, please include as much of the following as you can: + * a description of the vulnerability and its potential impact; + * the affected version(s) or commit; + * steps to reproduce, and a proof of concept if available. + +You should receive an acknowledgement from the security team. Please follow the Apache +Software Foundation's vulnerability handling process, described at +https://www.apache.org/security/, and do not publicly disclose the issue until it has been +resolved and an advisory has been published. + +## Threat model + +General assumptions about the usage of the Parquet library: + +* Read configuration (e.g. Hadoop configuration) is controlled by applications. If an application allows untrusted parties to set the read configuration arbitrarily, that is a security risk independent of whether a Parquet file is involved. +* Parquet files (their data and metadata) may originate from untrusted sources. The library parses them on a best-effort basis, but a maliciously crafted file can still cause excessive resource consumption (e.g. large memory allocations or decompression bombs). Applications reading untrusted files are responsible for imposing appropriate resource limits (memory, time, input size) around the library. Where appropriate, improvements to resource management in the library are welcome. + +### Class loading + +Several modules (e.g. parquet-avro, parquet-protobuf, parquet-thrift, etc.) provide functionality to translate Parquet data into Java objects. In the general case, this requires loading classes named in metadata stored in the Parquet files. + +As a consequence: + * When using these translation layers it is the user's responsibility to make sure their classpath is secure and does not contain any classes that when loaded might cause an adverse issue for their system. + * If class loading driven by file contents is problematic, end users should use APIs to directly read the data from Parquet instead of relying on translation. + * Arbitrary class loading by itself is not considered a security issue by the library. A security issue must demonstrate further ability to execute + arbitrary methods on the instantiated object. From b182ed95109045cb390dd001040dcdb775a96997 Mon Sep 17 00:00:00 2001 From: Micah Kornfield Date: Thu, 2 Jul 2026 20:12:24 +0000 Subject: [PATCH 2/6] add license --- SECURITY.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index d82bab6154..aa475aa4f5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,22 @@ + + # Security ## Reporting a Vulnerability From 7a56010d532d87947ccd56bd3c8f67ef93ca360b Mon Sep 17 00:00:00 2001 From: emkornfield Date: Sun, 12 Jul 2026 22:58:39 -0700 Subject: [PATCH 3/6] Apply suggestion from @emkornfield --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index aa475aa4f5..6d5a587993 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,7 +22,7 @@ ## Reporting a Vulnerability Please report suspected vulnerabilities privately to the Parquet Project Management -Committee at private@parquet.apache.org. Do **not** file a public GitHub issue or pull +ASF security at security@apache.org. Do **not** file a public GitHub issue or pull request for a suspected vulnerability, as that would disclose it before a fix is available. When reporting, please include as much of the following as you can: From 60961d913343607166075c17ff9b6c33a23f6ff1 Mon Sep 17 00:00:00 2001 From: emkornfield Date: Sun, 12 Jul 2026 22:59:09 -0700 Subject: [PATCH 4/6] Apply suggestion from @emkornfield --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6d5a587993..e145ab0735 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -21,7 +21,7 @@ ## Reporting a Vulnerability -Please report suspected vulnerabilities privately to the Parquet Project Management +Please report suspected vulnerabilities privately to the ASF security at security@apache.org. Do **not** file a public GitHub issue or pull request for a suspected vulnerability, as that would disclose it before a fix is available. From a3a5fff271a15db3e7db5324e891ddf1c9f5b8fe Mon Sep 17 00:00:00 2001 From: emkornfield Date: Sun, 12 Jul 2026 22:59:53 -0700 Subject: [PATCH 5/6] Apply suggestion from @emkornfield --- SECURITY.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index e145ab0735..16519af022 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,7 +22,8 @@ ## Reporting a Vulnerability Please report suspected vulnerabilities privately to the -ASF security at security@apache.org. Do **not** file a public GitHub issue or pull +ASF security team at security@apache.org (they will triage and coordinate the Parquet PMC). +Do **not** file a public GitHub issue or pull request for a suspected vulnerability, as that would disclose it before a fix is available. When reporting, please include as much of the following as you can: From 292489a7a9fb5a328d36f247aac4ba503f0a9519 Mon Sep 17 00:00:00 2001 From: emkornfield Date: Sun, 12 Jul 2026 23:04:03 -0700 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: emkornfield --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 16519af022..2a5a211642 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -51,4 +51,4 @@ As a consequence: * When using these translation layers it is the user's responsibility to make sure their classpath is secure and does not contain any classes that when loaded might cause an adverse issue for their system. * If class loading driven by file contents is problematic, end users should use APIs to directly read the data from Parquet instead of relying on translation. * Arbitrary class loading by itself is not considered a security issue by the library. A security issue must demonstrate further ability to execute - arbitrary methods on the instantiated object. + arbitrary methods on the instantiated object in such a way that it presents a security risk.