amoghrajesh commented on issue #49456: URL: https://github.com/apache/airflow/issues/49456#issuecomment-2850242298
@kaxil Let me explain. We currently have a config option: https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/config_templates/config.yml#L1422-L1430 This controls deserialization of XComs in the public API: https://github.com/apache/airflow/blob/main/airflow-core/src/airflow/api_fastapi/core_api/routes/public/xcom.py#L66 Initially, I considered simply setting this config to true. However, after discussing with @uranusjr, we concluded that even having this flag poses a security risk — it could allow a malformed Xcom that triggers arbitrary code execution during deserialization. Additionally, the default XCom backend already uses a builtin deserializer (which can be overridden), so the need for this flag in the API is not too great of an idea. My current proposal: - Remove the `deserialize` flag from the public API. - Deprecate and delete the `enable_xcom_deserialize_support` config, since it’s only used in that one API. - Long-term, figure out a proper way to safely deserialize XComs for display (possibly in a subprocess on the task side — just brainstorming, dont know yet). This is why I was proposing we make this change 3.1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
