pjfanning commented on code in PR #2102:
URL: https://github.com/apache/fury/pull/2102#discussion_r1997627166
##########
java/fury-core/src/main/java/org/apache/fury/resolver/DisallowedList.java:
##########
@@ -24,15 +24,25 @@
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.util.Set;
+import java.util.TreeSet;
import java.util.stream.Collectors;
import org.apache.fury.exception.InsecureException;
/** A class to record which classes are not allowed for serialization. */
class DisallowedList {
private static final String DISALLOWED_LIST_TXT_PATH = "fury/disallowed.txt";
+ // when disallowed.txt changed, update this hash by print the result of
`calculateSHA256`
+ private static final String SHA256_HASH =
+ "d418999c49b0aa83b8bde8a79aa758a16adb5599e384f842db65dbcd633c541b";
Review Comment:
* it's also probably true that if the build fails after fury/disallowed.txt
is modified (without the SHA upgrade) then that should be enough
* could we remove the main method just have the a unit test that compares
the generated SHA to the hardcoded one?
* main methods in classes is not usually regarded as good
* the test could be run instead to get the new SHA, so a coder could grab
that and updated the hardcoded SHA
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
