Send serialized object to DS server

I would like to send to the DS server a serialized R object. I’m trying the following (the questions variable is the object to be serialized):

cally <- paste0("prepare_dataset_treeDS(", data, ", ", serialize(questions, NULL), ")")
DSI::datashield.assign.expr(datasources, "tree_data", as.symbol(cally))

It’s not working as the code is generating multiple cally’s, each one with a byte of the raw serialized object

"prepare_dataset_treeDS(D, 58)" "prepare_dataset_treeDS(D, 0a)" "prepare_dataset_treeDS(D, 00)" etc

Anyone knows the correct way of sending serialized objects?

Hi,

The DataSHIELD’s R parser does not allow to send complex function parameters, to prevent from code injection.

Yannick

I found a way of achieving it, i’m not sure if it’s compromising though.

On the client:

cally <- paste0("prepare_dataset_treeDS(", data, ", '", sf::rawToHex(serialize(questions, NULL)), "')")
DSI::datashield.assign.expr(datasources, "tree_data", as.symbol(cally))

On the server:

questions <- unserialize(wkb::hex2raw(questions))

This passes successfully a serialized object.

It passes the R parser barrier, but it makes your server side code very vulnerable, as a function could be sent this way.

On the functionality I’m working on, I’m passing a table (variable rows but standardized columns and column types), performing a class check would be enough to overcome the vulnerability? Eg on the server side:

if(class(questions) != "data.frame"){stop()}

Plus checking the column number and column types are the ones expected.