dubbo
dubbo copied to clipboard
apache
[Bug] [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list.
Pre-check
- [X] I am sure that all the content I provide is in English.
Search before asking
- [X] I had searched in the issues and found no similar issues.
Apache Dubbo Component
Java SDK (apache/dubbo)
Dubbo Version
dubbo-3.3.0-beta.3-SNAPSHOT.jar
Steps to reproduce this issue
when i upgrade dubbo-3.3.0-beta.3-SNAPSHOT.jar it will show this error,i think it is violent and incompatible
Wrapped by: java.util.concurrent.ExecutionException: org.apache.dubbo.remoting.RemotingException: java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.handleToIOException(DefaultSerializationExceptionWrapper.java:353)
at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.access$000(DefaultSerializationExceptionWrapper.java:27)
at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper$ProxyObjectInput.readThrowable(DefaultSerializationExceptionWrapper.java:181)
at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.handleException(DecodeableRpcResult.java:186)
at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:114)
at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:153)
at org.apache.dubbo.remoting.transport.DecodeHandler.decode(DecodeHandler.java:61)
at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:49)
at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64)
at org.apache.dubbo.common.threadpool.ThreadlessExecutor$RunnableWrapper.run(ThreadlessExecutor.java:151)
at org.apache.dubbo.common.threadpool.ThreadlessExecutor.waitAndDrain(ThreadlessExecutor.java:77)
What you expected to happen
The upgrade package version should not directly cause incompatible errors. Can this check be turned off by default?
Anything else
No response
Are you willing to submit a pull request to fix on your own?
- [ ] Yes I am willing to submit a pull request on my own!
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Please add it into the default allow list
Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading
Please add it into the default allow list
Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading
No, blacklist cannot resolve the serialization risk. Security is more impartant that usability.
Perhaps you can add the following content to the public namespace of Dubbo in the configuration center.
dubbo:
application:
serialize-check-status: WARN
Please add it into the default allow list
how to add?
I hope this helps you https://cn.dubbo.apache.org/zh-cn/overview/mannual/java-sdk/tasks/security/class-check/
