Skip to content

Add pickle storage#82

Closed
divanovGH wants to merge 2 commits intomsiemens:masterfrom
divanovGH:pickle_storage
Closed

Add pickle storage#82
divanovGH wants to merge 2 commits intomsiemens:masterfrom
divanovGH:pickle_storage

Conversation

@divanovGH
Copy link
Copy Markdown

@divanovGH divanovGH commented Dec 20, 2015

Native objects (like datetime) serialize support

@msiemens
Copy link
Copy Markdown
Owner

msiemens commented Dec 21, 2015

Thanks for the PR @divanovGH. I've already played with the idea of adding a picke storage. In the end I decided against it, because allows arbitrary code execution. The docs write:

The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

For that reason I'm uncomfortable putting including this in the TinyDB core. What do you think on that topic?

@divanovGH divanovGH closed this Dec 21, 2015
@divanovGH divanovGH reopened this Dec 21, 2015
@divanovGH
Copy link
Copy Markdown
Author

divanovGH commented Dec 21, 2015

I think that this solution can be used if the database is exclusively on the local machine.
Basically, this database created by and for local use?

@divanovGH
Copy link
Copy Markdown
Author

divanovGH commented Dec 22, 2015

this storage should be used at user's own risk

@eugene-eeo
Copy link
Copy Markdown
Contributor

eugene-eeo commented Dec 22, 2015

@msiemens note that, though pickle does allow for arbitrary code execution, we are only using the pickle module to store "trusted" data - and it is a suitable tool in that respect. So as long as you don't simply open a database downloaded from somewhere else using the pickle storage, you are safe.

Side note: the pickle storage should ideally live as an extension module, and should it find life in a separate repository, may I ask you to put this, as big as possible at the top of the README,

Never unpickle data received from an untrusted or unauthenticated source.

@msiemens
Copy link
Copy Markdown
Owner

msiemens commented Dec 23, 2015

@msiemens note that, though pickle does allow for arbitrary code execution, we are only using the pickle module to store "trusted" data - and it is a suitable tool in that respect. So as long as you don't simply open a database downloaded from somewhere else using the pickle storage, you are safe.

This presumes that the file system is a "trusted" store and this isn't a really safe assumption. While I certainly don't expect that anyone would target a pickle file used by TinyDB, I don't feel good including this in the TinyDB core. I'd really prefer if this is an extension module.

@msiemens
Copy link
Copy Markdown
Owner

msiemens commented Jan 30, 2016

@divanovGH What do you think about releasing a pickle storage as an extension to TinyDB?

@divanovGH
Copy link
Copy Markdown
Author

divanovGH commented Feb 1, 2016

@msiemens I completely agree with this

@msiemens
Copy link
Copy Markdown
Owner

msiemens commented Feb 1, 2016

Okay, I'll then close this PR and if someone creates a TinyDB extension providing a pickle storage I'll gladly link to it from the docs.

@msiemens msiemens closed this Feb 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@divanovGH @msiemens @eugene-eeo