feat: disable Parquet by default (breaking change) (#9920)

I have built a fuzz test and it crashes heavily in seconds and will OOM shortly after. It seems like supporting Parquet is basically a completely open way to crash the server if you can upload a file and run s3 select on it. Until Parquet is more hardened it is DISABLED by default since hostile crafted input can easily crash the server. If you are in a controlled environment where it is safe to assume no hostile content can be uploaded to your cluster you can safely enable Parquet. To enable Parquet set the environment variable `MINIO_API_SELECT_PARQUET=on` while starting the MinIO server. Furthermore, we guard parquet by recover functions.
2025-11-11 22:40:14 -05:00 · 2020-08-18 10:23:28 -07:00
parent d2a3f92452
commit adca28801d
4 changed files with 33 additions and 2 deletions
--- a/pkg/s3select/parquet/reader.go
+++ b/pkg/s3select/parquet/reader.go
@@ -17,6 +17,7 @@
 package parquet

 import (
+	"fmt"
 	"io"

 	"github.com/bcicen/jstream"
@@ -34,6 +35,12 @@ type Reader struct {

 // Read - reads single record.
 func (r *Reader) Read(dst sql.Record) (rec sql.Record, rerr error) {
+	defer func() {
+		if rec := recover(); rec != nil {
+			rerr = fmt.Errorf("panic reading parquet record: %v", rec)
+		}
+	}()
+
 	parquetRecord, err := r.reader.Read()
 	if err != nil {
 		if err != io.EOF {
@@ -92,7 +99,12 @@ func (r *Reader) Close() error {
 }

 // NewReader - creates new Parquet reader using readerFunc callback.
-func NewReader(getReaderFunc func(offset, length int64) (io.ReadCloser, error), args *ReaderArgs) (*Reader, error) {
+func NewReader(getReaderFunc func(offset, length int64) (io.ReadCloser, error), args *ReaderArgs) (r *Reader, err error) {
+	defer func() {
+		if rec := recover(); rec != nil {
+			err = fmt.Errorf("panic reading parquet header: %v", rec)
+		}
+	}()
 	reader, err := parquetgo.NewReader(getReaderFunc, nil)
 	if err != nil {
 		if err != io.EOF {