dubbo icon indicating copy to clipboard operation
dubbo copied to clipboard
verified publisher icon apache

[Bug] In `DefaultSerializeClassChecker` When the check mode is `WARN`, an exception still occurs.

Open wuwen5 opened this issue 10 months ago • 2 comments

Pre-check

  • [x] I am sure that all the content I provide is in English.

Search before asking

  • [x] I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

Dubbo Java 3.2.16、3.3.3

Steps to reproduce this issue

@Test
void testCheckStatusWarn() throws IOException {
    FrameworkModel frameworkModel = new FrameworkModel();
    SerializeSecurityManager ssm = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
    ssm.setCheckStatus(SerializeCheckStatus.WARN);

    Serialization serialization = frameworkModel.getExtensionLoader(Serialization.class)
        //When using fastjson2, it's ok.
        .getExtension("hessian2");
    URL url = URL.valueOf("").setScopeModel(frameworkModel);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ObjectOutput objectOutput = serialization.serialize(url, outputStream);
    objectOutput.writeObject(Level.ALL);
    objectOutput.flushBuffer();

    Assertions.assertDoesNotThrow(() -> serialization.deserialize(url, new 
        ByteArrayInputStream(outputStream.toByteArray())));
}

@Test
void testCommon() throws ClassNotFoundException {
    FrameworkModel.defaultModel()
        .getBeanFactory()
        .getBean(SerializeSecurityManager.class)
        .setCheckStatus(SerializeCheckStatus.WARN);
    DefaultSerializeClassChecker defaultSerializeClassChecker = DefaultSerializeClassChecker.getInstance();
       
    Assertions.assertDoesNotThrow(() -> {
        defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName());
        });
    Assertions.assertNotEquals(
        Socket.class, defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName()));
}

What you expected to happen

No exceptions,Expected to be consistent with the logic and results of Fastjson2SecurityManager

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • [x] Yes I am willing to submit a pull request on my own!

Code of Conduct

wuwen5 avatar Feb 26 '25 06:02 wuwen5

This is by design. Because Level.class is in the default deny list. Default deny list has the highest priority

AlbumenJ avatar Feb 27 '25 03:02 AlbumenJ

The Level is just an example I used for unit testing, primarily to highlight the inconsistency with the verification logic in Fastjson2SecurityManager. When using Fastjson2, if the check status is set to WARN, it should log a warning instead of throwing an exception.

wuwen5 avatar Feb 27 '25 03:02 wuwen5