Skip to content

Commit 1145eb4

Browse files
Joob1nmergify[bot]
authored andcommitted
[BugFix][CVE] Exclude unused avro-ipc that bundles vulnerable jquery 1.4.2 (#76270)
## Why I'm doing: `avro-ipc-1.11.4.jar` ships `jquery-1.4.2.min.js` (CVE-2011-4969, CVE-2014-6071 and six more jQuery XSS CVEs, two of them rated critical by downstream scanners) as static assets of Avro's stats server, which StarRocks never runs. Scanning the whole build output, the only class that references `org.apache.avro.ipc` is avro-mapred's `tether/TetheredProcess` (Avro's tethered-MapReduce debugging feature, also unused), so the jar is dead weight on both sides it ships to: - FE classpath: `spark-core_2.12 -> avro-mapred -> avro-ipc` - BE hive-reader lib: direct `avro-mapred` dependency drags in `avro-ipc` + `avro-ipc-jetty` Upgrading Avro does not help: the latest avro-ipc 1.12.1 still bundles the same jquery 1.4.2. ## What I'm doing: Pom/gradle-only, no Java code changes: 1. **Exclude `avro-ipc`** from spark-core (fe) and **`avro-ipc`/`avro-ipc-jetty`** from avro-mapred (hive-reader). Avro core and avro-mapred stay untouched — `org.apache.avro.mapred.FsInput` etc. remain on the classpath for Hive Avro reads. 2. **Keep `org.tukaani:xz` as an explicit dependency**: it used to reach `fe/lib` only through avro-ipc, while commons-compress, clickhouse-jdbc and 5 other shipped jars still reference it. Without this, the exclusion would silently drop the XZ codec. 3. **Ban `avro-ipc`/`avro-ipc-jetty` in the maven-enforcer gates** (fe + java-extensions root poms) so a future dependency bump cannot re-introduce them. 4. **Mirror everything in the Gradle build** (`fe/build.gradle.kts`, `fe/fe-core/build.gradle.kts`). Verification (full FE rebuild + BE hive-reader repackage): - `fe/lib` is byte-identical minus `avro-ipc-1.11.4.jar` (the explicit xz keeps `xz-1.9.jar` in place); no `jquery-1.4*` asset remains anywhere in `fe/lib`. - FE starts clean, metadata queries work, zero `ClassNotFound`/`NoClassDefFound` in fe.log. - `hive-reader-lib` drops `avro-ipc`/`avro-ipc-jetty`; hive-reader's `TestHiveScanner` (real `.avro` file reads through `AvroSerDe`/`AvroContainerInputFormat`) passes with the exclusion in place. - Both maven reactors pass `validate` with the new enforcer bans active. Signed-off-by: Joob1n <Joob1n@outlook.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com> (cherry picked from commit 4f9d892) # Conflicts: # fe/fe-core/pom.xml
1 parent a673d66 commit 1145eb4

7 files changed

Lines changed: 111 additions & 0 deletions

File tree

fe/build.gradle.kts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,9 @@ subprojects {
225225
implementation("org.bouncycastle:bcpkix-jdk18on:${project.ext["bouncycastle.version"]}")
226226
implementation("org.bouncycastle:bcprov-jdk18on:${project.ext["bouncycastle.version"]}")
227227
implementation("org.bouncycastle:bcutil-jdk18on:${project.ext["bouncycastle.version"]}")
228+
// xz used to reach fe/lib only via the excluded avro-ipc; keep it for the
229+
// jars that still reference it (commons-compress, clickhouse-jdbc, ...)
230+
implementation("org.tukaani:xz:1.9")
228231
implementation("org.eclipse.jetty:jetty-client:${project.ext["jetty.version"]}")
229232
implementation("org.eclipse.jetty:jetty-io:${project.ext["jetty.version"]}")
230233
implementation("org.eclipse.jetty:jetty-security:${project.ext["jetty.version"]}")
@@ -270,6 +273,9 @@ subprojects {
270273
// JSP engine, unused by FE; tomcat 9.0.93 carries CVE-2025-55754/CVE-2025-52434
271274
exclude(group = "org.apache.tomcat")
272275
exclude(group = "org.apache.tomcat.embed")
276+
// ships jquery 1.4.2 (CVE-2011-4969 etc.); only avro-mapred's unused tether feature references it
277+
exclude(group = "org.apache.avro", module = "avro-ipc")
278+
exclude(group = "org.apache.avro", module = "avro-ipc-jetty")
273279
}
274280

275281
// Resolve capability conflicts: at.yawk.lz4:lz4-java replaces org.lz4:lz4-java and org.lz4:lz4-pure-java

fe/fe-core/build.gradle.kts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,9 @@ dependencies {
289289
}
290290
implementation("org.slf4j:slf4j-api")
291291
implementation("org.threeten:threeten-extra:1.7.2")
292+
// xz used to reach fe/lib only via the excluded avro-ipc; keep it for the
293+
// jars that still reference it (commons-compress, clickhouse-jdbc, ...)
294+
implementation("org.tukaani:xz")
292295
implementation("org.xerial.snappy:snappy-java")
293296
implementation("software.amazon.awssdk:glue")
294297
implementation("software.amazon.awssdk:dynamodb")

fe/fe-core/pom.xml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,36 @@ under the License.
9999
<dependencies>
100100
<dependency>
101101
<groupId>com.starrocks</groupId>
102+
<<<<<<< HEAD
103+
=======
104+
<artifactId>fe-grammar</artifactId>
105+
</dependency>
106+
107+
<!-- xz used to reach fe/lib only via the excluded avro-ipc; keep it for the
108+
jars that still reference it (commons-compress, clickhouse-jdbc, ...) -->
109+
<dependency>
110+
<groupId>org.tukaani</groupId>
111+
<artifactId>xz</artifactId>
112+
</dependency>
113+
114+
<dependency>
115+
<groupId>com.starrocks</groupId>
116+
<artifactId>fe-type</artifactId>
117+
</dependency>
118+
119+
<dependency>
120+
<groupId>com.starrocks</groupId>
121+
<artifactId>fe-parser</artifactId>
122+
</dependency>
123+
124+
<dependency>
125+
<groupId>com.starrocks</groupId>
126+
<artifactId>fe-spi</artifactId>
127+
</dependency>
128+
129+
<dependency>
130+
<groupId>com.starrocks</groupId>
131+
>>>>>>> 4f9d89297d ([BugFix][CVE] Exclude unused avro-ipc that bundles vulnerable jquery 1.4.2 (#76270))
102132
<artifactId>spark-dpp</artifactId>
103133
</dependency>
104134

fe/pom.xml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,14 @@ under the License.
564564
<version>3.4.0</version>
565565
</dependency>
566566

567+
<!-- xz used to reach fe/lib only via the excluded avro-ipc; keep it for the
568+
7 jars that still reference it (commons-compress, clickhouse-jdbc, ...) -->
569+
<dependency>
570+
<groupId>org.tukaani</groupId>
571+
<artifactId>xz</artifactId>
572+
<version>1.9</version>
573+
</dependency>
574+
567575
<!-- pin okio-jvm to the same version as okio; okhttp 4.10.0 drags in
568576
okio-jvm 3.0.0 which is affected by CVE-2023-3635 -->
569577
<dependency>
@@ -721,6 +729,12 @@ under the License.
721729
<groupId>org.eclipse.jetty</groupId>
722730
<artifactId>jetty-server</artifactId>
723731
</exclusion>
732+
<!-- avro-ipc ships jquery 1.4.2 (CVE-2011-4969 etc.); only referenced by
733+
avro-mapred's tether feature which is never used -->
734+
<exclusion>
735+
<groupId>org.apache.avro</groupId>
736+
<artifactId>avro-ipc</artifactId>
737+
</exclusion>
724738
<exclusion>
725739
<groupId>org.eclipse.jetty</groupId>
726740
<artifactId>jetty-util</artifactId>
@@ -1644,6 +1658,10 @@ under the License.
16441658
<exclude>org.apache.tomcat.embed:*</exclude>
16451659
<!-- tencentcloud-sdk below 3.1.1471 drags in EOL okhttp 2.7.5 -->
16461660
<exclude>com.tencentcloudapi:*:[,3.1.1471)</exclude>
1661+
<!-- ships jquery 1.4.2 (CVE-2011-4969 etc.); only avro-mapred's
1662+
unused tether feature references it -->
1663+
<exclude>org.apache.avro:avro-ipc</exclude>
1664+
<exclude>org.apache.avro:avro-ipc-jetty</exclude>
16471665
</excludes>
16481666
</bannedDependencies>
16491667
</rules>

java-extensions/hive-reader/pom.xml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,24 @@
7474
<groupId>org.apache.avro</groupId>
7575
<artifactId>avro-mapred</artifactId>
7676
<version>${avro.version}</version>
77+
<!-- avro-ipc ships jquery 1.4.2 (CVE-2011-4969 etc.); only referenced by
78+
avro-mapred's tether feature which is never used -->
79+
<exclusions>
80+
<exclusion>
81+
<groupId>org.apache.avro</groupId>
82+
<artifactId>avro-ipc</artifactId>
83+
</exclusion>
84+
<exclusion>
85+
<groupId>org.apache.avro</groupId>
86+
<artifactId>avro-ipc-jetty</artifactId>
87+
</exclusion>
88+
</exclusions>
89+
</dependency>
90+
91+
<dependency>
92+
<groupId>org.tukaani</groupId>
93+
<artifactId>xz</artifactId>
94+
<version>1.9</version>
7795
</dependency>
7896

7997
<dependency>

java-extensions/hive-reader/src/test/java/com/starrocks/hive/reader/TestHiveScanner.java

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,12 @@
1616

1717
import com.starrocks.jni.connector.OffHeapTable;
1818
import com.starrocks.utils.Platform;
19+
import org.apache.avro.file.CodecFactory;
20+
import org.apache.avro.file.DataFileReader;
21+
import org.apache.avro.file.DataFileWriter;
22+
import org.apache.avro.generic.GenericDatumReader;
23+
import org.apache.avro.generic.GenericDatumWriter;
24+
import org.apache.avro.generic.GenericRecord;
1925
import org.junit.jupiter.api.AfterEach;
2026
import org.junit.jupiter.api.Assertions;
2127
import org.junit.jupiter.api.BeforeEach;
@@ -169,6 +175,32 @@ public void c1DoScanTestOnPrimitiveType() throws IOException {
169175
runScanOnParams(params);
170176
}
171177

178+
@Test
179+
public void scanXzCompressedAvroFile() throws IOException {
180+
Map<String, String> params = createScanTestParams();
181+
File sourceFile = new File(params.get("data_file_path"));
182+
File xzFile = File.createTempFile("starrocks-hive-reader-", ".avro");
183+
try {
184+
writeXzCompressedAvroFile(sourceFile, xzFile);
185+
params.put("data_file_path", xzFile.getPath());
186+
params.put("block_length", String.valueOf(xzFile.length()));
187+
runScanOnParams(params);
188+
} finally {
189+
Assertions.assertTrue(xzFile.delete(), "Failed to delete temporary Avro file");
190+
}
191+
}
192+
193+
private void writeXzCompressedAvroFile(File sourceFile, File targetFile) throws IOException {
194+
try (DataFileReader<GenericRecord> reader = new DataFileReader<>(sourceFile, new GenericDatumReader<>());
195+
DataFileWriter<GenericRecord> writer = new DataFileWriter<>(new GenericDatumWriter<>())) {
196+
writer.setCodec(CodecFactory.xzCodec(6));
197+
writer.create(reader.getSchema(), targetFile);
198+
while (reader.hasNext()) {
199+
writer.append(reader.next());
200+
}
201+
}
202+
}
203+
172204
@Test
173205
public void complexTypeTest() throws Exception {
174206
Map<String, String> params = createComplexTypeScanTestParams();

java-extensions/pom.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -625,6 +625,10 @@
625625
<exclude>com.fasterxml.jackson.jaxrs:*:[,2.15.0)</exclude>
626626
<!-- commons-lang3 below 3.18.0 is affected by CVE-2025-48924 -->
627627
<exclude>org.apache.commons:commons-lang3:[,3.18.0)</exclude>
628+
<!-- ships jquery 1.4.2 (CVE-2011-4969 etc.); only avro-mapred's
629+
unused tether feature references it -->
630+
<exclude>org.apache.avro:avro-ipc</exclude>
631+
<exclude>org.apache.avro:avro-ipc-jetty</exclude>
628632
</excludes>
629633
</bannedDependencies>
630634
</rules>

0 commit comments

Comments
 (0)