Full table and namespace property maps are mirrored into BigQuery metadata

[rdblue]

This issue was reported to the private Apache Iceberg security mailing list. The submitter is being kept anonymous because the report was sent to a private list. After review, the issue is not considered a serious vulnerability that needs to be kept private, so it is being filed publicly here for tracking and resolution.

Note: this submission was generated by AI. Please review its claims and source references carefully before acting on them.

Summary

The BigQuery catalog mirrors full table and namespace property maps
into BigQuery metadata, duplicating any sensitive properties into a
broader control plane.

Affected Maven coordinates

• primary shipped client artifact: org.apache.iceberg:iceberg-bigquery

Attacker prerequisites

• access to the affected metadata, table-option, or row-return surface
• a deployment where that surface is visible to callers who are not
  meant to receive the widened data or secret set

Impact

• Secret-bearing or internal-only properties can become visible to any
  principal that can read the BigQuery table or dataset resource.
• Even when operators already understand that Iceberg metadata JSON
  contains table properties, this code broadens the blast radius by
  duplicating the data into a separate permission domain.
• Error handling can further widen exposure by serializing full table
  objects into exception messages.

Proof status

I reproduced this locally with a targeted reproducer or exploit.
The observed result matches the trigger and impact described above.

Key source references

• org.apache.iceberg.gcp.bigquery.BigQueryTableOperations
• org.apache.iceberg.gcp.bigquery.BigQueryMetastoreCatalog
• org.apache.iceberg.gcp.bigquery.BigQueryMetastoreUtils
• org.apache.iceberg.gcp.bigquery.BigQueryMetastoreClientImpl
• org.apache.iceberg.BaseMetastoreCatalog

[rdblue]

This isn't very clear, but it sounds like the issue is that properties are sent to BigQuery, even though BigQuery presumably has access to those properties anyway. This is not saying (if I'm reading it correctly) that namespace properties are copied into tables. Looks to me like this may be a leak of "internal" but not security properties (which shouldn't be in namespace or table properties).

This may be a bad idea, but it isn't a vulnerability. I'm going to remove the security label.

[RussellSpitzer]

I'm not sure why this is specific to big query, this sounds like behavior we have in the HiveCatalog since almost day one of the Iceberg project. Iceberg properties are put inside the Hive Catalog and a principle of the Hive Catalog who can read the Iceberg table object can read those properties. I'm not sure what there is to change here ... maybe the namespace properties?

[rdblue]

I also thought that this sounds like exactly what Hive does. I'll close this since it is likely the intended behavior.