Updated SpecificDatumReader.java

abhilakshyadobhal · web-flow · commit 0da2588bcfae · 2025-03-08T18:12:12.000+05:30
initialize trusted package in every constructor
diff --git a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
@@ -45,37 +45,55 @@ public class SpecificDatumReader<T> extends GenericDatumReader<T> {
 
   public SpecificDatumReader() {
     this(null, null, SpecificData.get());
+    initializeTrustedPackages();
   }
 
   /** Construct for reading instances of a class. */
   public SpecificDatumReader(Class<T> c) {
     this(SpecificData.getForClass(c));
     setSchema(getSpecificData().getSchema(c));
+    initializeTrustedPackages();
   }
 
   /** Construct where the writer's and reader's schemas are the same. */
   public SpecificDatumReader(Schema schema) {
     this(schema, schema, SpecificData.getForSchema(schema));
+    initializeTrustedPackages();
   }
 
   /** Construct given writer's and reader's schema. */
   public SpecificDatumReader(Schema writer, Schema reader) {
     this(writer, reader, SpecificData.getForSchema(reader));
+    initializeTrustedPackages();
   }
 
   /**
    * Construct given writer's schema, reader's schema, and a {@link SpecificData}.
    */
   public SpecificDatumReader(Schema writer, Schema reader, SpecificData data) {
     super(writer, reader, data);
-    trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
+    initializeTrustedPackages();
   }
 
   /** Construct given a {@link SpecificData}. */
   public SpecificDatumReader(SpecificData data) {
     super(data);
+    initializeTrustedPackages();
   }
-
+  
+  /**
+  * Initializes the trusted packages list by adding values from the system property
+  * `org.apache.avro.SERIALIZABLE_PACKAGES`. This ensures that all constructors 
+  * of `SpecificDatumReader` correctly populate the `trustedPackages` list.
+  * 
+  * Without this initialization, certain constructors may not add the expected 
+  * packages to the trusted list, leading to security check failures when deserializing 
+  * objects from custom packages.
+  */
+  private void initializeTrustedPackages() {
+      trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
+  }
+  
   /** Return the contained {@link SpecificData}. */
   public SpecificData getSpecificData() {
     return (SpecificData) getData();
