ashb commented on code in PR #27887:
URL: https://github.com/apache/airflow/pull/27887#discussion_r1032675916
##########
airflow/config_templates/default_airflow.cfg:
##########
@@ -127,6 +127,11 @@ unit_test_mode = False
# RCE exploits).
enable_xcom_pickling = False
+# What classes can be imported during deserialization. This is a json encoded
+# array. The individual items will be parsed as regexp. Python built-in
classes (like dict)
+# are always allowed
+allowed_deserialization_classes = ["airflow[.].*"]
Review Comment:
Simpler approach (after chatting to Bolke): use multiline strings and
`.split()` the value in to components. (I think most of my complaint was around
needing to "escape" a regex in to JSON, but since spaces are not valid in class
or module names we can split easily)
```
allowed_deserialization_classes =
airflow\..*
my_package\.MyClass
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
