AVRO-3985: adding default serializable pacakge to trusted package list

abhilakshyadobhal · abhilakshyadobhal · commit 68e94213f5b1 · 2025-03-11T19:49:49.000+05:30
diff --git a/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java b/lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java
@@ -41,38 +41,37 @@ public class SpecificDatumReader<T> extends GenericDatumReader<T> {
 
     String userDefinedPackages = System.getProperty("org.apache.avro.SERIALIZABLE_PACKAGES", "");
 
-    // Combine the user-defined packages (if any) with the default packages.
-    String combined = userProp.isEmpty() ? defaultPackages : userProp + "," + defaultPackages;
+    if ("*".equals(userDefinedPackages)) {
+        SERIALIZABLE_PACKAGES = new String[]{"*"};
+    } else {
+        String combinedPackages = userDefinedPackages.isEmpty() ? defaultPackages : userDefinedPackages + "," + defaultPackages;
 
-    SERIALIZABLE_PACKAGES = Arrays.stream(combined.split(","))
-                                  .distinct()
-                                  .toArray(String[]::new);
+        SERIALIZABLE_PACKAGES = Arrays.stream(combinedPackages.split(","))
+                                      .distinct()
+                                      .toArray(String[]::new);
+    }
   }
 
   private final List<String> trustedPackages = new ArrayList<>();
 
   public SpecificDatumReader() {
     this(null, null, SpecificData.get());
-    initializeTrustedPackages();
   }
 
   /** Construct for reading instances of a class. */
   public SpecificDatumReader(Class<T> c) {
     this(SpecificData.getForClass(c));
     setSchema(getSpecificData().getSchema(c));
-    initializeTrustedPackages();
   }
 
   /** Construct where the writer's and reader's schemas are the same. */
   public SpecificDatumReader(Schema schema) {
     this(schema, schema, SpecificData.getForSchema(schema));
-    initializeTrustedPackages();
   }
 
   /** Construct given writer's and reader's schema. */
   public SpecificDatumReader(Schema writer, Schema reader) {
     this(writer, reader, SpecificData.getForSchema(reader));
-    initializeTrustedPackages();
   }
 
   /**
@@ -91,17 +90,8 @@ public SpecificDatumReader(SpecificData data) {
 
   /**
    * Initializes the {@code trustedPackages} list with the package names considered safe for deserialization.
-   *
-   * <p>This method populates the {@code trustedPackages} list using the static array {@code SERIALIZABLE_PACKAGES},
-   * which is initialized from the system property {@code org.apache.avro.SERIALIZABLE_PACKAGES} combined with
-   * default trusted packages. By doing so, it ensures that both user-defined and default packages are included,
-   * and any duplicate entries are avoided.</p>
-   *
-   * <p>Before adding the packages, the list is cleared to prevent duplicate entries if this method is invoked
-   * multiple times, ensuring that the list remains consistent and up-to-date across all instances.</p>
    */
   private void initializeTrustedPackages() {
-    trustedPackages.clear();
     trustedPackages.addAll(Arrays.asList(SERIALIZABLE_PACKAGES));
   }
 
