Option to allow custom JSONEncoder/JSONDecoder #21
Comments
|
Instead of pickle, how about being able to specify a custom |
|
That would probably be good to have too. That said, |
|
I'm not a fan of implementing pickle since it allows code execution ( |
thomasst
changed the title
|
We would like the option to use pickle as well. Some swig wrappers support pickle serialization and not JSON. |
|
Personally, I don't think there's a point in implementing an insecure serialization/de-serialization option, especially given how often tasks are called with params containing user-generated data. @tkram01 you could probably write a very simple middleware that unpickles an object you get from SWIG and then serializes it into JSON before passing it to a TaskTiger task. |
|
(See also #22) |
|
Yeah, I'll review this later, but we can probably do something like #22. |
|
@wojcikstefan @thomasst I'm not seeing how Pickle is a security issue if the python app is control of pickling/unpickling. My understanding was that the only secufity issue is if you were to accept arbitrary pickled data from users but Tasktiger doesn't do that since it does the serialization/deserialization itself. |
|
That's correct, but it's bad design and unnecessarily opens up a potential point of attack. It's like saying you can use That being said, I don't mind having an option for a customer (de)serializer, as long as we don't ship pickle with TaskTiger (but the user is free to implement/configure it). |
And just point people in the right direction with a custom JSONEncoder/Decoder example. |
This would work better for some types, i.e. datetime, etc.
Your country thanks you.
The text was updated successfully, but these errors were encountered: