dstandish commented on PR #26735: URL: https://github.com/apache/airflow/pull/26735#issuecomment-1260359127
> but if we were to do that for any custom types, it may be easier to use a custom serialiser pattern instead, similar to how json.dumps handles this. A plugin can provide a set of serislise/deserialise hooks that would be called for any unknown object is encountered by the (de)serialiser. can you add more detail? i'm interested in what you're talking about but don't follow. separately, concerning security risks... perhaps we need to be specific about the context. suppose we allow custom serialization in the xcom context, not in the base serialization code which is used in many places. if someone wanted to do something malicious, and they had the ability to write a task that sent this malicious object through xcom, why would they need to bother sending it through xcom -- they could do whatevery malicious work they wanted in the task itself? we're not talking about e.g. taking user input strings from the web UI for example... and if it's just in the task execution context, it's not run in the scheduler or webserver. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
