Github user dpitera commented on the issue:
https://github.com/apache/tinkerpop/pull/179
> Whitelisting tends to work best in cases like this as it assumes
everything is bad except for this small, easy to maintain list.
Agreed. Which is what leads me to find myself in a situation where even
things like `"^java\\.lang\\.String"` must be whitelisted to be called.
However....["^java\\.lang\\.String#getBoolean\\("](http://docs.oracle.com/javase/6/docs/api/java/lang/Boolean.html#getBoolean(java.lang.String))
must be blacklisted because it leaks implementations details about the
underlying System.
I believe this is a prime example for situations where the best filter is
something like:
`!methodBlackList.any { descriptor =~ it } && methodWhiteList.any {
descriptor =~ it }`.
Would you agree?
> I don't see a reference to methodBlackList in this PR
This is because the methodBlackList of which I speak is part of the
deprecated sadnbox extension classes
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
