In invenio-rdm-records, parent is always referenced via NestedAttribute. This prevents de/serialization when the record is fetched, for example, from opensearch.
In our code parent is referenced with plain Nested and is deserialized even from opensearch result. This might bring:
security problems - malicious parent might be deserialized from user's data
consistency problems - if parent is malformed in opensearch (for example, due to being pushed in this form by user), the loading breaks with an exception and the whole search api fails.
This also seems to be the case of files and others.
mesemus
commented
10 months ago
In invenio-rdm-records, parent is always referenced via NestedAttribute. This prevents de/serialization when the record is fetched, for example, from opensearch.
In our code parent is referenced with plain Nested and is deserialized even from opensearch result. This might bring:
This also seems to be the case of files and others.