-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implementation for Begin and Rollback clientside statements #1041
Conversation
e533567
to
3e80473
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Some minor comments; nothing that in my opinion needs to be fixed in order to merge this PR.
conn.commit() | ||
checksum = hashlib.sha256() | ||
checksum.update(pickle.dumps(got_rows[0])) | ||
checksum.update(pickle.dumps(got_rows[1])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really use pickle
as part of our internal checksumming logic?
I'm always squeamish about any use of pickle
because (a) its behavior with extension types is not necessarily defined (it's up to the extension type to implement it, maybe correctly or maybe not) and (b) loading a pickle
stream is basically a remote-code-execution waiting to happen. (pickle
serializes objects basically by saying "there's an object of this type, please call its constructor and feed it this data." Python constructors are basically just functions, and the last time I checked, pickle
doesn't try particularly hard to make sure that the function specified in the pickle
data stream is really a constructor; so if you can construct a custom pickle
data stream and get code somewhere to deserialize it, you can get the deserializer to call basically any Python function in any library that's installed in the current environment, even if that library hasn't yet been imported.)
I realize that the usage here probably avoids those two specific issues for now. Just ... reflexive "icky dependency!" response 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, module some small nits.
Do we know why the emulator tests are failing?
No description provided.