This approach sounds like it should work. As long as you have a limited set of expected types and you reject unrecognized ones, I can't think of any particular security issues with it.
On Wed, May 20, 2020 at 10:31 AM Peter JL <[email protected]> wrote: > Some further context: > > An alternative to the use of Any would be Oneof. This would increase type > safety, but would require the request object to maintain knowledge of all > permitted types. Since requests will be used by multiple clients and > multiple (related but different) servers, the request object could end up > as a bloated multi-tenant maintenance problem. The goal of the Any would be > to reduce these complexities. > > > On Wednesday, May 20, 2020 at 10:13:35 AM UTC-7, Peter JL wrote: >> >> Hello, group - >> >> I'm considering using an Any field in a service-to-service request >> object. This would allow clients to send arbitrary data to the server, >> which would dispatch requests to the appropriate event handler based on the >> Any's type information (achieving a kind of polymorphic dispatch). The >> server would log a warning and drop requests with unrecognized types. This >> approach would loosen coupling between system components, reduce the number >> of cross-component dependencies, and streamline the process adding/removing >> new handlers. >> >> My central question is: Are there security risks (or other significant) >> problems with this approach? >> >> Thanks in advance! >> >> Peter >> > -- > You received this message because you are subscribed to the Google Groups > "Protocol Buffers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/protobuf/883bda1e-41ed-4694-bb88-5d9e5b0f1c83%40googlegroups.com > <https://groups.google.com/d/msgid/protobuf/883bda1e-41ed-4694-bb88-5d9e5b0f1c83%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/protobuf/CADqAXr43BG-s%3DDQUXT6kOodZ2c%2BOm0qhQ3awWxWSGLeZ7fC4KQ%40mail.gmail.com.
