ashb commented on code in PR #27887: URL: https://github.com/apache/airflow/pull/27887#discussion_r1032668725
########## airflow/config_templates/default_airflow.cfg: ########## @@ -127,6 +127,11 @@ unit_test_mode = False # RCE exploits). enable_xcom_pickling = False +# What classes can be imported during deserialization. This is a json encoded +# array. The individual items will be parsed as regexp. Python built-in classes (like dict) +# are always allowed +allowed_deserialization_classes = ["airflow[.].*"] Review Comment: JSON is okay (given the tools we have anyway), I think it's the regex that I don't like. How about this: - `package.*` = anything in directly in package - `package.sub.MyClass` is the given class, and - `package.**` is anything anywhere under that. And (for now) limit wildcards to complete components, so `Foo*` wouldn't be valid (mostly limit it for ease of implementation in this first version) This feels a bit more natural to me than having to encode regex inside JSON. Thoughts? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
