Qualtran-L1: Objectstrings#1823
Conversation
|
Check out this pull request on See visual diffs & provide feedback on Jupyter Notebooks. Powered by ReviewNB |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces objectstrings, a new serialization format for bloq classical parameters, along with the necessary parsing and evaluation infrastructure in a new qualtran.l1 package. A developer tool to generate a manifest of all bloqs using this format is also included. However, the implementation is vulnerable to insecure deserialization, which could lead to Remote Code Execution (RCE) if the 'safe' mode is disabled. The parser and evaluator also lack limits on nesting depth and array size, making them susceptible to Denial of Service (DoS) attacks via recursion depth exhaustion and memory exhaustion. Furthermore, a critical bug in the string parsing logic has been identified that could lead to incorrect behavior when handling strings with special characters.
1 participant
Qualtran defines bloq classes, but we need to provide compile-time classical parameters to instantiate those into bloq objects.
In principle, arbitrary Python values can be used as classical parameters, as long as they are immutable and hashable. For a human readable intermediate representation,
qualtran.l1implements a limited serialization syntax called objectstrings that roughly mimics standard Python object instantiation.