Github user dpitera commented on the issue: https://github.com/apache/tinkerpop/pull/179 > Whitelisting tends to work best in cases like this as it assumes everything is bad except for this small, easy to maintain list. Agreed. Which is what leads me to find myself in a situation where even things like `"^java\\.lang\\.String"` must be whitelisted to be called. However....["^java\\.lang\\.String#getBoolean\\("](http://docs.oracle.com/javase/6/docs/api/java/lang/Boolean.html#getBoolean(java.lang.String)) must be blacklisted because it leaks implementations details about the underlying System. I believe this is a prime example for situations where the best filter is something like: `!methodBlackList.any { descriptor =~ it } && methodWhiteList.any { descriptor =~ it }`. Would you agree? > I don't see a reference to methodBlackList in this PR This is because the methodBlackList of which I speak is part of the deprecated sadnbox extension classes
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---