pjfanning commented on PR #8196: URL: https://github.com/apache/hadoop/pull/8196#issuecomment-3801694426
> @pjfanning how does jackson deser work here? is there a link to a doc? > > I'm wondering whether a class is checked for being an implementation of Step before the instance is instantiated? If it isn't, then we'd still be at risk of something in the package having adverse side effects in its construction, which of course was what happened to parquet's first deser fix last year. * I've added a new conf that allows the allowed packages to be provided. `dfs.nodeplan.steps.supported.packages` * Jackson loads the class in the `@class` setting but has some checks for well known attack classes. * Anything else it will class load and then try to instantiate an object instance * My code kicks in before the Jackson code, so any class names that my code doesn't like - then Jackson doesn't even get to parse the JSON. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
