[GitHub] [beam] damccorm opened a new issue, #20274: Update documentation to show how to use SerializableCoder more securely

[GitBox <gi...@apache.org>]

damccorm opened a new issue, #20274:
URL: https://github.com/apache/beam/issues/20274

   It's possible to make the use of SerializableCoder more secure by enforcing constraints on the deserialization process using jdk.serialFilter. This task is to update the documentation - from the mailing list:
   
    
   "With the JvmInitializer[1] being supported by Dataflow and the portable Java container, users would be able to write code which sets the system property jdk.serialFilter or by configuring ObjectInputFilter.Config.setSerialFilter(filter)[2]"
    
   This could become a documentation change to SerializableCoder.
   
   1: [https://github.com/apache/beam/blob/master/sdks/java/core/src/main/java/org/apache/beam/sdk/harness/JvmInitializer.java](https://github.com/apache/beam/blob/master/sdks/java/core/src/main/java/org/apache/beam/sdk/harness/JvmInitializer.java)
   2: [https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-952E2328-AB66-4412-8B6B-3BCCB3195C25](https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-952E2328-AB66-4412-8B6B-3BCCB3195C25)
    
   Ref: https://lists.apache.org/thread.html/rc08d21215ed0f228331dcec88ecd5fe45d452e778fdc20a44c938f8e%40%3Cdev.beam.apache.org%3E
   
   Imported from Jira [BEAM-9570](https://issues.apache.org/jira/browse/BEAM-9570). Original Jira may contain additional context.
   Reported by: coheigea.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org