feat: Implementation for Begin and Rollback clientside statements #1041
Conversation
product-auto-label
bot
added
size: xl
ankiaga
force-pushed
the
client_begin
branch
from
e533567
to
3e80473
Compare
| conn.commit() | ||
| checksum = hashlib.sha256() | ||
| checksum.update(pickle.dumps(got_rows[0])) | ||
| checksum.update(pickle.dumps(got_rows[1])) |
There was a problem hiding this comment.
Do we really use pickle as part of our internal checksumming logic?
I'm always squeamish about any use of pickle because (a) its behavior with extension types is not necessarily defined (it's up to the extension type to implement it, maybe correctly or maybe not) and (b) loading a pickle stream is basically a remote-code-execution waiting to happen. (pickle serializes objects basically by saying "there's an object of this type, please call its constructor and feed it this data." Python constructors are basically just functions, and the last time I checked, pickle doesn't try particularly hard to make sure that the function specified in the pickle data stream is really a constructor; so if you can construct a custom pickle data stream and get code somewhere to deserialize it, you can get the deserializer to call basically any Python function in any library that's installed in the current environment, even if that library hasn't yet been imported.)
I realize that the usage here probably avoids those two specific issues for now. Just ... reflexive "icky dependency!" response 😄
No description provided.