GGraziadei commented on PR #8707: URL: https://github.com/apache/storm/pull/8707#issuecomment-4542962194
Thanks for the detailed and insightful review @rzo1! I have addressed all your points and pushed the updates: Refactored the catch block in `KryoTupleDeserializer#deserialize ` by inverting the logic to handle security risks correctly. If a decompression bomb is detected (the exception message contains "Decompression threshold exceeded"), the RuntimeException is now propagated immediately instead of being swallowed. For any other decompression failure, which indicates a true header collision where raw Kryo bytes matched the zstd magic header by chance, the code safely falls back to `deserializeTuple(ser)`. Additionally, the comment was updated to accurately reflect the little-endian nature of the zstd magic header on the wire. Optimized the deserializer path. It now computes `isCompressionEnabled` once at construction time by scanning the topology and component configurations, ensuring zero per-tuple cost for topologies that do not use compression. Since the Flux per-component configuration mechanism is out of scope for this PR, I have opened a tracking issue here: #8710 and updated docs/Serialization.md to explicitly state that Flux currently only supports topology-wide enablement. @reiabreu, the PR is ready for your review whenever you have time. Standing by for any further feedback or changes you might suggest! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
