mayankshriv commented on issue #7310: URL: https://github.com/apache/pinot/issues/7310#issuecomment-899851895
Definitely a good idea to add a config to disable groovy scripts in SQL statements. However, we should survey the use cases and the usage model on deciding the default value (ON vs OFF). I vote for keeping the current behavior and only disabling it when explicitly specified. My reasoning is that the more common case is not prone to this issue: - Most Pinot deployments do not expose a free form SQL endpoint to their external users. Almost in all cases, the SQL is generated within the org that is running Pinot. - Typically, there's a data model between external user and the data store. Most such attacks would be stopped right by the data model by not allowing any way for user to create such a SQL query. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
