This is an automated email from the ASF dual-hosted git repository.
opwvhk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/avro.git
The following commit(s) were added to refs/heads/main by this push:
new 907bc85005 AVRO-4145: Add Avro security model (#3403)
907bc85005 is described below
commit 907bc85005f229985b1b2acf880ca29bc2a44bb5
Author: Oscar Westra van Holthe - Kind <[email protected]>
AuthorDate: Sat Jun 28 00:10:00 2025 +0200
AVRO-4145: Add Avro security model (#3403)
Describe when using Avro is secure. This is necessary documentation,
given the world-wide shift to extend product liability to "digital
elements" (this includes software).
---
doc/content/en/project/Security/_index.md | 42 ++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
diff --git a/doc/content/en/project/Security/_index.md
b/doc/content/en/project/Security/_index.md
index baa55da933..5d77d29021 100755
--- a/doc/content/en/project/Security/_index.md
+++ b/doc/content/en/project/Security/_index.md
@@ -26,4 +26,44 @@ manualLink: https://www.apache.org/security/
-->
-Apache Avro project shares the same security policy as the [Apache Software
Foundation](https://www.apache.org/security/)
+Security Policy
+===============
+
+Apache Avro project shares the same security policy as
+the [Apache Software Foundation](https://www.apache.org/security/).
+
+
+Security Model
+==============
+
+The Avro library implementations are designed to read and write any data
conforming
+to a schema. Transport is outside the scope of the Avro library: applications
using
+Avro should be surrounded by security measures that prevent attackers from
writing
+random data and otherwise interfering with the consumers of schemas.
+
+Although the Avro library will not read or write data except as directed to by
+invoking it, avoiding leaking data into a side channel like log files is a
non-goal
+security-wise for Avro. This means, for example, that you will need to catch
and
+handle exceptions instead of simply writing them to a log file.
+
+In some cases, like schema parsing, type conversions and based on explicit
schema
+properties, Avro can execute code provided by the environment. Avro has opt-in
+mechanisms for code that is eligible for execution. Applications using Avro
should
+have a secured supply chain, ensuring code registered to be executed is safe.
+
+This supply chain also includes the schemas being used: if they are user
provided,
+additional validation is strongly advised. Such validation can use the parsed
schema,
+as schema parsing itself is safe: the parser allows SPIs, but is not otherwise
+configurable.
+
+
+Summary
+-------
+
+In short, using Avro is safe, provided applications:
+
+* are surrounded by security measures that prevent attackers from writing
random
+ data and otherwise interfering with the consumers of schemas
+* avoid leaking data by, for example, catching and handling exceptions
+* have a secured supply chain, ensuring code registered to be executed is safe
+* if schemas are user provided, validate the parsed schema before use
