Including class names in serialized JSON makes me nervous. It is a common
attack surface. Could we, say, include the name of the enum (without package
name) and map it to a list of supported Enums?
> On Jun 8, 2021, at 9:20 AM, Konstantin Orlov <kor...@gridgain.com> wrote:
>
> Hi, folks!
>
> We have a problem with Spool node deserialisation. Currently it explains both
> readType and writeType fields as Enum,
> thus those fields being serialized as map:
>
> {
> "id":"2",
> "relOp”:"MyTableSpool",
> "readType":{
> "class":"org.apache.calcite.rel.core.Spool$Type",
> "name":"LAZY"
> },
> "writeType":{
> "class":"org.apache.calcite.rel.core.Spool$Type",
> "name":"EAGER"
> }
> }
>
> When deserializing, we use RelInput#getEnum which expects the provided tag
> being a string value representing the enum's value name.
>
> Should we follow the way used for serialization of JoinRelType within the
> Join node (serialize the enum value as its name in lower case)? Here is
> example:
>
> {
> "id":"4",
> "relOp”:"MyJoin",
> "condition":{
> "op":{
> "name":">",
> "kind":"SqlKind#GREATER_THAN",
> "syntax":"SqlSyntax#BINARY"
> },
> "operands":[
> {
> "input":1,
> "name":"$1"
> },
> {
> "input":4,
> "name":"$4"
> }
> ]
> },
> "joinType":"inner",
> "variablesSet":[0],
> "correlationVariables":[0],
> "inputs":["0","3"]
> }
>
> Or it's better to get the RelInput being able to deserialize enum represented
> as map as well?
>
> Personally I prefer the first option cause the type of the enum is known for
> sure, so it's better not to waste the time to (de-)serialize it.
>
>
> --
> Regards,
> Konstantin Orlov
>
>
>
>
