[GitHub] [airflow] barrysteyn commented on issue #34093: The allowed_deserialization_classes regex is broken

Tue, 05 Sep 2023 07:52:17 -0700 


barrysteyn commented on issue #34093:
URL: https://github.com/apache/airflow/issues/34093#issuecomment-1706773954

   Thanks @potiuk. The ultimate aim of `allowed_deserialization_classes` is 
provide protection against unexpected class deserialization. Using a regex is 
goes against that - as @bolkedebruin pointed out, you can have unexpected 
results and end up allowing things you didn't want. However, I am guessing one 
of the things that @bolkedebruin wanted to do was to switch things off 
completely by allowing the regex `.*` which would match everything.
   
   That said, I think we should do the following:
    1. If `allowed_deserialization_classes` is None, then operate as per normal 
(which would be not to allow cusomt class deserialization)
    2. If `allowed_deserialization_classes` is `''` (empty string), turn the 
feature off (I am still not sure how useful this feature is, but I bet there 
are lots of people who would like to turn it off).
    3. If `allowed_deserialization_classes` has strings in it, then use 
[fnmatch](https://docs.python.org/3/library/fnmatch.html#fnmatch.filter) to do 
(as you suggest) a **glob** like pattern matching search.
    4. Do not do any regex matching (and since #28829, this feature has been 
broken and so I don't think it is used much - except maybe to turn things off)
   
   A note on (4) above: I do not advocate for trying string match, then glob 
match and then regex. This is way too complex for what is aimed at securing the 
system. It opens up a can of worms. Rather, let's just use `fnmatch` if we need 
to match. And... we need to vastly improve the documentation:
    1. Remove cryptic comments like `Bare “.” will be replaced so you can set 
airflow*` - I am a first language English speaker and I have no idea what that 
implies.
    2. State that `allowed_deserialization_classes`  is just a space separated 
string that will be used with `split()` to make lists.
    3. Give the rules as I mention above (`None` will enforce things,  `''` 
will stop enforcement, all other strings will be split and matched with 
`fnmatch`)
   
   What do you think? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to