[
https://issues.apache.org/jira/browse/BEAM-9570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17122354#comment-17122354
]
Beam JIRA Bot commented on BEAM-9570:
-------------------------------------
This issue is P2 but has been unassigned without any comment for 60 days so it
has been labeled "stale-P2". If this issue is still affecting you, we care!
Please comment and remove the label. Otherwise, in 14 days the issue will be
moved to P3.
Please see https://beam.apache.org/contribute/jira-priorities/ for a detailed
explanation of what these priorities mean.
> Update documentation to show how to use SerializableCoder more securely
> -----------------------------------------------------------------------
>
> Key: BEAM-9570
> URL: https://issues.apache.org/jira/browse/BEAM-9570
> Project: Beam
> Issue Type: Improvement
> Components: sdk-java-core
> Reporter: Colm O hEigeartaigh
> Priority: P2
> Labels: stale-P2
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It's possible to make the use of SerializableCoder more secure by enforcing
> constraints on the deserialization process using jdk.serialFilter. This task
> is to update the documentation - from the mailing list:
>
> "With the JvmInitializer[1] being supported by Dataflow and the portable Java
> container, users would be able to write code which sets the system property
> jdk.serialFilter or by configuring
> ObjectInputFilter.Config.setSerialFilter(filter)[2]"
>
> This could become a documentation change to SerializableCoder.
> 1:
> [https://github.com/apache/beam/blob/master/sdks/java/core/src/main/java/org/apache/beam/sdk/harness/JvmInitializer.java]
> 2:
> [https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-952E2328-AB66-4412-8B6B-3BCCB3195C25]
>
> Ref:
> https://lists.apache.org/thread.html/rc08d21215ed0f228331dcec88ecd5fe45d452e778fdc20a44c938f8e%40%3Cdev.beam.apache.org%3E
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
