Skip to content

Make allowed_deserialization_classes more intuitive #28829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bolkedebruin merged 2 commits into from
Jan 10, 2023
Merged

Make allowed_deserialization_classes more intuitive #28829

bolkedebruin merged 2 commits into from
Jan 10, 2023

Conversation

@bolkedebruin
Copy link
Contributor

@bolkedebruin bolkedebruin commented Jan 10, 2023

Regexps can be tough to get right. Typically someone would like to allow any classes below 'mymodule' to match. For example, 'mymodule.dataclasses' by setting allowed_deserialization_classes to 'mymodule.*'. However this matches everything starting with mymodule, so also mymodulemalicious. This change replaces bare '.' with '..' so it matches the literal '.' as well.

@kaxil

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@bolkedebruin
Make allowed_deserialization_classes more intuitive
5830047 
Regexps can be tough to get right. Typically someone would like
to allow any classes below 'mymodule' to match. For example,
'mymodule.dataclasses' by setting allowed_deserialization_classes
to 'mymodule.*'. However this matches everything starting with
mymodule, so also mymodulemalicious. This change replaces
bare '.' with '\..' so it matches the literal '.' as well.
kaxil
kaxil reviewed Jan 10, 2023
View reviewed changes
kaxil
kaxil reviewed Jan 10, 2023
View reviewed changes
kaxil
kaxil approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@kaxil kaxil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@bolkedebruin bolkedebruin merged commit 12adb5e into apache:main Jan 10, 2023
@bolkedebruin bolkedebruin deleted the intuitive branch January 10, 2023 20:17
@kaxil kaxil added this to the Airflow 2.5.2 milestone Jan 15, 2023
@pierrejeambrun pierrejeambrun added the type:misc/internal Changelog: Misc changes that should appear in change log label Feb 27, 2023
@pierrejeambrun
Copy link
Member

pierrejeambrun commented Mar 6, 2023

Depends on #28829

@barrysteyn
Copy link

barrysteyn commented Sep 4, 2023
edited
Loading

@kaxil @bolkedebruin

This change has totally broken things... for example, I have a class that needs to be on the allowed_deserialization_classes list... the error message I get is libs.dynamodb.models.ideas.IdeasModel is not on the allowed list.. I do understand that this is regex that is being matched against, however altering the regex is not (in my opinion) good. Firstly, people who are doing this are technical and should know that a . matches anything.

But things seem broken... For example, I have tested things by putting the following in theallowed_deserialization_classes (remember I am testing libs.dynamodb.models.ideas.IdeasModel for a match):

  1. libs.dynamodb.models.ideas.IdeasModel --> False (not expected)
  2. libs[.]dynamodb[.]models[.]ideas[.]IdeasModel --> True (weird)
  3. libs.dynamodb.* --> False
  4. libs[.]dynamodb.* --> True
  5. libs.* --> True (this mimic'd the unit test of this change).

It is obvious that the replace . with .. is the culprit. Instead, I suggest we undo the changes, and rather document in detail on how to use the regex.

@barrysteyn
Copy link

barrysteyn commented Sep 4, 2023

So, this is the regex replace for this PR:
p = re.sub(r"(\w)\.", r"\1\..", p)

I am no expert, but it seems to me that it replaces word. with word\.. - I think the idea is to match ., however all that does is ensure that there must be a . followed by any character... That is why things are failing...

I don't advocate for changing anything, but if you really want to match just ., then the regex should be p = re.sub(r"(\w)\.", r"\1[.]", p)

@barrysteyn
Copy link

barrysteyn commented Sep 4, 2023

At the very least, if I am using things incorrectly, then add more tests to explain how it should work.

@barrysteyn barrysteyn mentioned this pull request Sep 5, 2023
Closed
2 tasks
@tobiaszorzetto tobiaszorzetto mentioned this pull request Dec 9, 2023
Merged
@ephraimbuddy ephraimbuddy mentioned this pull request Feb 22, 2024
Closed
68 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaxil kaxil kaxil approved these changes

@ashb ashb Awaiting requested review from ashb

Assignees

No one assigned

Labels

area:serialization type:misc/internal Changelog: Misc changes that should appear in change log

Projects

None yet

Milestone

Airflow 2.6.0

Development

Successfully merging this pull request may close these issues.

4 participants

@bolkedebruin @pierrejeambrun @barrysteyn @kaxil