ashb commented on code in PR #45562:
URL: https://github.com/apache/airflow/pull/45562#discussion_r1917133923
##########
airflow/serialization/serialized_objects.py:
##########
@@ -297,6 +306,25 @@ def decode_asset_condition(var: dict[str, Any]) ->
BaseAsset:
raise ValueError(f"deserialization not implemented for DAT {dat!r}")
+def decode_asset(var: dict[str, Any]) -> BaseAsset:
+ """
+ Decode a previously serialized asset.
+
+ :meta private:
+ """
+
+ def _decode_trigger(trigger_infos: dict[str, Any]) -> BaseTrigger:
+ return
import_string(trigger_infos["classpath"])(**trigger_infos["kwargs"])
Review Comment:
I don't like that this will blindly import the string it's given, and
instantiate the class. This feels like a massive security incident waiting to
happen. Serialized DAG is not to be trusted.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
