[
https://issues.apache.org/jira/browse/BEAM-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kenneth Knowles updated BEAM-9570:
----------------------------------
This Jira ticket has a pull request attached to it, but is still open. Did the
pull request resolve the issue? If so, could you please mark it resolved? This
will help the project have a clear view of its open issues.
> Update documentation to show how to use SerializableCoder more securely
> -----------------------------------------------------------------------
>
> Key: BEAM-9570
> URL: https://issues.apache.org/jira/browse/BEAM-9570
> Project: Beam
> Issue Type: Improvement
> Components: sdk-java-core
> Reporter: Colm O hEigeartaigh
> Priority: P3
> Labels: Clarified
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It's possible to make the use of SerializableCoder more secure by enforcing
> constraints on the deserialization process using jdk.serialFilter. This task
> is to update the documentation - from the mailing list:
>
> "With the JvmInitializer[1] being supported by Dataflow and the portable Java
> container, users would be able to write code which sets the system property
> jdk.serialFilter or by configuring
> ObjectInputFilter.Config.setSerialFilter(filter)[2]"
>
> This could become a documentation change to SerializableCoder.
> 1:
> [https://github.com/apache/beam/blob/master/sdks/java/core/src/main/java/org/apache/beam/sdk/harness/JvmInitializer.java]
> 2:
> [https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-952E2328-AB66-4412-8B6B-3BCCB3195C25]
>
> Ref:
> https://lists.apache.org/thread.html/rc08d21215ed0f228331dcec88ecd5fe45d452e778fdc20a44c938f8e%40%3Cdev.beam.apache.org%3E
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
