Makes sense. I did not fully appreciate the importance of the "filtered" boolean on the CommandGetTopicsOfNamespaceResponse message.
I agree that it could be valuable to detect "simple" regexes and apply those filters server side. That could also be an optimization to add later, if it proves to be difficult/complicated. On Thu, Mar 10, 2022 at 2:32 PM Matteo Merli <matteo.me...@gmail.com> wrote: > > On Thu, Mar 10, 2022 at 12:26 PM Michael Marshall <mmarsh...@apache.org> > wrote: > > > I believe we can address the risk by providing a switch to enable/disable > > > this feature. > > > > Would it be worth putting server side filtering behind a flag in the > > FeatureFlags protobuf message so that clients can still benefit from > > the new topic notifications and caching even if the client has to > > filter names itself? > > Yes, that's a good point, though we don't need a feature flag for > that. Simple the broker would return a list marked as not-filtered. > > One other approach could be to detect "simple" regexes vs "complex" or > "potentially malicious" regexes. > Eg. simplifying a lot... if it only contains `.*` sequence we do > server filtering, otherwise we fall back and let the client execute > it.
