Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Bug] In DefaultSerializeClassChecker When the check mode is WARN, an exception still occurs. #15179

Open
4 tasks done
wuwen5 opened this issue Feb 26, 2025 · 2 comments
Open
4 tasks done

[Bug] In DefaultSerializeClassChecker When the check mode is WARN, an exception still occurs. #15179

wuwen5 opened this issue Feb 26, 2025 · 2 comments
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage

Comments

@wuwen5
Copy link
Contributor

wuwen5 commented Feb 26, 2025
edited
Loading

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

Dubbo Java 3.2.16、3.3.3

Steps to reproduce this issue

@Test
void testCheckStatusWarn() throws IOException {
    FrameworkModel frameworkModel = new FrameworkModel();
    SerializeSecurityManager ssm = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
    ssm.setCheckStatus(SerializeCheckStatus.WARN);

    Serialization serialization = frameworkModel.getExtensionLoader(Serialization.class)
        //When using fastjson2, it's ok.
        .getExtension("hessian2");
    URL url = URL.valueOf("").setScopeModel(frameworkModel);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ObjectOutput objectOutput = serialization.serialize(url, outputStream);
    objectOutput.writeObject(Level.ALL);
    objectOutput.flushBuffer();

    Assertions.assertDoesNotThrow(() -> serialization.deserialize(url, new 
        ByteArrayInputStream(outputStream.toByteArray())));
}

@Test
void testCommon() throws ClassNotFoundException {
    FrameworkModel.defaultModel()
        .getBeanFactory()
        .getBean(SerializeSecurityManager.class)
        .setCheckStatus(SerializeCheckStatus.WARN);
    DefaultSerializeClassChecker defaultSerializeClassChecker = DefaultSerializeClassChecker.getInstance();
       
    Assertions.assertDoesNotThrow(() -> {
        defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName());
        });
    Assertions.assertNotEquals(
        Socket.class, defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName()));
}

What you expected to happen

No exceptions,Expected to be consistent with the logic and results of Fastjson2SecurityManager

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct
@wuwen5 wuwen5 added component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage labels Feb 26, 2025
@wuwen5 wuwen5 mentioned this issue Feb 26, 2025
Closed
4 tasks
@AlbumenJ
Copy link
Member

This is by design. Because Level.class is in the default deny list. Default deny list has the highest priority

@wuwen5
Copy link
Contributor Author

wuwen5 commented Feb 27, 2025

The Level is just an example I used for unit testing, primarily to highlight the inconsistency with the verification logic in Fastjson2SecurityManager. When using Fastjson2, if the check status is set to WARN, it should log a warning instead of throwing an exception.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage
Projects
Dubbo Board
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wuwen5 @AlbumenJ