diff --git a/README.md b/README.md index 70f2f158e2f4..0735dae57cdc 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ This is a great place to meet other contributors and get guidance on where to co However, all technical designs should also be recorded and formalized in GitHub issues, so that they are accessible to everyone. In Slack, find us in the `#arrow-rust` channel and feel free to ask for an invite via Discord, GitHub issues, or other means. -There is more information in the [contributing] guide. +There is more information in the [contributing] guide and the [security] policy. ## Repository Structure @@ -186,3 +186,4 @@ You can find more details about each crate in their respective READMEs. [issues]: https://github.com/apache/arrow-rs/issues [pull requests]: https://github.com/apache/arrow-rs/pulls [discussions]: https://github.com/apache/arrow-rs/discussions +[security]: SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..d10bbb0a24c3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,83 @@ + + +# Security Policy + +This document outlines the security model for the Rust implementation of Apache Arrow (`arrow-rs`) and how to report vulnerabilities. + +## Security Model + +The `arrow-rs` project follows the [Apache Arrow Security Model]. In particular: + +- Reading data from untrusted sources (e.g., over a network or from a file) requires explicit validation. +- Failure to validate untrusted data before use may lead to security issues. + +This implementation provides APIs such as [`ArrayData::validate_full`] to +validate that Arrow data conforms to the specification. + +Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by +malformed input is generally considered a **bug**, not a security +vulnerability, unless it is **exploitable** and could allow an attacker to + +* Execute arbitrary code (Remote Code Execution); +* Exfiltrate sensitive information from process memory (Information Disclosure); + +If that exploitation path is unclear, the issue should likely be reported as a +bug. + +## Rust Safety, Soundness, and Undefined Behavior + +Rust has a very [specific definition of unsafe]. When unsafe behavior results +from using safe code, the code is unsound and can lead to undefined behavior +(UB), which may be exploitable. + +However, not all soundness issues are exploitable. In general, issues that +result in undefined behavior using safe APIs are considered bugs unless they +meet the exploitability bar defined above. + +We therefore avoid classifying all unsoundness bugs as security +vulnerabilities (e.g. filing [RUSTSEC] and/or [CVE] advisories), which helps +avoid unnecessary downstream churn and keeps our focus on the most critical issues. + +[specific definition of unsafe]: https://doc.rust-lang.org/book/ch20-01-unsafe-rust.html +[rustsec]: https://rustsec.org/ +[cve]: https://cve.mitre.org/ + +## Reporting a Bug + +We treat all bugs seriously and welcome help fixing them. If you find a bug +that does not meet the criteria for a security vulnerability, please report it +in the public issue tracker. + +## Reporting a Vulnerability + +For security vulnerabilities, please follow the responsible disclosure process +below so we can investigate and fix the issue before it is exploited in the +wild. + +**Do not file a public issue.** Follow the [ASF security reporting process] by emailing [security@apache.org](mailto:security@apache.org). + +Include in your report: +- A clear description and minimal reproducer. +- Affected crates and versions. +- Potential impact. + +[Apache Arrow Security Model]: https://arrow.apache.org/docs/dev/format/Security.html +[`ArrayData::validate_full`]: https://docs.rs/arrow/latest/arrow/array/struct.ArrayData.html#method.validate_full +[ASF security reporting process]: https://www.apache.org/security/#reporting-a-vulnerability diff --git a/arrow-avro/README.md b/arrow-avro/README.md index c5776c125b0a..dbc1e1760ea3 100644 --- a/arrow-avro/README.md +++ b/arrow-avro/README.md @@ -212,9 +212,11 @@ async fn main() -> anyhow::Result<()> { * **Confluent Schema Registry wire format**: 1‑byte magic `0x00` + 4‑byte BE schema ID + Avro body; supports decode + encode helpers. * **Avro Single‑Object Encoding (SOE)**: 2‑byte magic `0xC3 0x01` + 8‑byte LE CRC‑64‑AVRO fingerprint + Avro body; supports decode + encode helpers. ---- +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. -## Examples +[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md * Read/write OCF in memory and from files (see crate docs “OCF round‑trip”). * Confluent wire‑format and SOE quickstarts are provided as runnable snippets in docs. diff --git a/arrow-csv/README.md b/arrow-csv/README.md new file mode 100644 index 000000000000..bd1f5c9787fc --- /dev/null +++ b/arrow-csv/README.md @@ -0,0 +1,33 @@ + + +# `arrow-csv` + +Support for reading and writing CSV files to and from [Apache Arrow]. + +See the [main repository README] and the [API documentation] for more details. + +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. + +[Apache Arrow]: https://arrow.apache.org/ +[main repository README]: https://github.com/apache/arrow-rs +[API documentation]: https://docs.rs/arrow-csv/latest +[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md diff --git a/arrow-flight/README.md b/arrow-flight/README.md index 1cd8f5cfe21b..49bf5a12b003 100644 --- a/arrow-flight/README.md +++ b/arrow-flight/README.md @@ -81,4 +81,9 @@ $ flight_sql_client --host example.com statement-query "SELECT 1;" +----------+ ``` +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. + [apache arrow flightsql]: https://arrow.apache.org/docs/format/FlightSql.html +[security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md diff --git a/arrow-ipc/README.md b/arrow-ipc/README.md new file mode 100644 index 000000000000..6b60ec2ba26b --- /dev/null +++ b/arrow-ipc/README.md @@ -0,0 +1,34 @@ + + +# `arrow-ipc` + +Support for reading and writing files and streams in the [Arrow IPC Format] to and from [Apache Arrow]. + +See the [main repository README] and the [API documentation] for more details. + +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. + +[Apache Arrow]: https://arrow.apache.org/ +[Arrow IPC Format]: https://arrow.apache.org/docs/format/Columnar.html#format-ipc +[main repository README]: https://github.com/apache/arrow-rs +[API documentation]: https://docs.rs/arrow-ipc/latest +[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md diff --git a/arrow-json/README.md b/arrow-json/README.md new file mode 100644 index 000000000000..4057fd84c5bb --- /dev/null +++ b/arrow-json/README.md @@ -0,0 +1,33 @@ + + +# `arrow-json` + +Support for reading and writing JSON to and from [Apache Arrow]. + +See the [main repository README] and the [API documentation] for more details. + +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. + +[Apache Arrow]: https://arrow.apache.org/ +[main repository README]: https://github.com/apache/arrow-rs +[API documentation]: https://docs.rs/arrow-json/latest +[Security Policy]: ../SECURITY.md diff --git a/arrow/README.md b/arrow/README.md index 7c55932d2f3e..4c084553659f 100644 --- a/arrow/README.md +++ b/arrow/README.md @@ -76,6 +76,25 @@ The `arrow` crate provides the following features which may be enabled in your ` The [Apache Arrow Status](https://arrow.apache.org/docs/status.html) page lists which features of Arrow this crate supports. + +## Security + +`arrow-rs` follows the [Apache Arrow Security Model]. + +Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by +malformed input, and instances of undefined behavior (UB) triggered via safe +APIs are considered bugs rather than security vulnerabilities unless they are exploitable +by an attacker to + +* Execute arbitrary code (Remote Code Execution); +* Exfiltrate sensitive information from process memory (Information Disclosure); + +We welcome your help in fixing such bugs and security issues. See our +[Security Policy] for reporting. + +[Apache Arrow Security Model]: https://arrow.apache.org/docs/dev/format/Security.html +[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md + ## Safety Arrow seeks to uphold the Rust Soundness Pledge as articulated eloquently [here](https://raphlinus.github.io/rust/2020/01/18/soundness-pledge.html). Specifically: diff --git a/arrow/src/lib.rs b/arrow/src/lib.rs index f9b0c717f0b3..48ab42e84c3d 100644 --- a/arrow/src/lib.rs +++ b/arrow/src/lib.rs @@ -335,14 +335,34 @@ //! * [`parquet`](https://docs.rs/parquet) - support for [Apache Parquet] //! * [`arrow-avro`](https://docs.rs/arrow-avro) - support for [Apache Avro] //! -//! # Safety and Security +//! # Security //! -//! Like many crates, this crate makes use of unsafe where prudent. However, it endeavours to be -//! sound. Specifically, **it should not be possible to trigger undefined behaviour using safe APIs.** +//! This project follows the [Apache Arrow Security Model]. //! -//! If you think you have found an instance where this is possible, please file -//! a ticket in our [issue tracker] and it will be triaged and fixed. For more information on -//! arrow's use of unsafe, see [here](https://github.com/apache/arrow-rs/tree/main/arrow#safety). +//! Unexpected behavior (e.g., panics, crashes, or infinite loops) triggered by +//! malformed input is considered a **bug**, not a security vulnerability, +//! unless it is **exploitable** by an attacker to +//! +//! * Execute arbitrary code (Remote Code Execution); +//! * Exfiltrate sensitive information from process memory (Information Disclosure); +//! +//! If you think you have found a security vulnerability, please follow the +//! reporting instructions in the [security policy]. +//! +//! [security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md +//! +//! # Safety +//! +//! Like many crates, this crate makes use of `unsafe` where prudent. However, it endeavors to be +//! sound. Specifically, **it should not be possible to trigger undefined behavior using safe APIs.** +//! +//! Undefined behavior using safe APIs is considered a bug, not a security +//! vulnerability, unless it can be exploited. Please see the [security policy] +//! for details. +//! +//! For more information on the use of `unsafe`, see [here](https://github.com/apache/arrow-rs/tree/main/arrow#safety). +//! +//! [Apache Arrow Security Model]: https://arrow.apache.org/docs/dev/format/Security.html //! //! # Higher-level Processing //! diff --git a/parquet/README.md b/parquet/README.md index 9e4e91d85d73..8fb48856fe79 100644 --- a/parquet/README.md +++ b/parquet/README.md @@ -79,6 +79,12 @@ information on the status of this implementation. [implementation status page]: https://parquet.apache.org/docs/file-format/implementationstatus/ [apache parquet]: https://parquet.apache.org/ +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. + +[security policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md + ## License Licensed under the Apache License, Version 2.0: . diff --git a/parquet_derive/README.md b/parquet_derive/README.md index 783c71abd599..6423fa5a51d3 100644 --- a/parquet_derive/README.md +++ b/parquet_derive/README.md @@ -144,6 +144,12 @@ To compile and test doctests, run `cargo test --doc -- --show-output` To build documentation, run `cargo doc --no-deps`. To compile and view in the browser, run `cargo doc --no-deps --open`. +## Security + +See the [Security Policy] for information on the security model and how to report vulnerabilities. + +[Security Policy]: https://github.com/apache/arrow-rs/blob/main/SECURITY.md + ## License -Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0. \ No newline at end of file +Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.