adding mikera/vectorz to thaw allowlist #139

danielfleischer · 2020-11-23T13:08:54Z

No description provided.

ptaoussanis · 2020-11-23T13:50:30Z

Hi there! Has someone verified that all the targeted classes are safe? What's the level of confidence?

Thanks

danielfleischer · 2020-11-23T14:25:15Z

I've used the Vector and AVector classes, but I'm not aware of any official verifications.

See vectorz and the clojure bindings vectorz-clj for more detail.

ptaoussanis · 2020-11-25T10:09:55Z

Hi there!

Unfortunately I don't think this'd make sense to add to the default list for a couple reasons:

Someone would need to properly investigate to check that there's no security risk posed by any of the classes. This is a solvable problem but would take some work.
I'm not sure that this library is common enough to warrant inclusion in the defaults.

Why does 2. matter?

Noise for library consumers. (If we add defaults for this long-tail library, we'd be setting a precedent for more such additions - making it more cumbersome for users to review+manage the whitelist).
Added default classes also impose an ongoing maintenance burden since we'll need to keep an eye out for possible security issues in new releases, etc.

Would recommend you just add the classes you need to your own configuration.

Hope this makes sense!

Cheers :-)

danielfleischer · 2020-11-25T10:36:57Z

Hi, thanks for the clarification, it makes perfect sense.

adding mikera/vectorz to thaw allowlist

c218755

ptaoussanis closed this Nov 25, 2020

Provide feedback