apache
[Java] allow 'unsafe' Fory usage where class allow/disallow list are not enforced
Feature Request
We definitely want Fory to be relatively secure by default. Of course, deserializing is always a minefield in Java and the disallow list in Fory may not have everything in it. Users sending Fory formatted class instances over the wire should use secure networks. If you have a secure network, users might want to enable unsafe mode and accept the risks. If malicious users can't send messages to your application then this might be acceptable. When deserializing, checking the classes against the disallow list (for instance) does take a certain amount of time. If this feature was added, we could add warnings in the docs to discourage its users unless the users understand what they are doing.
Is your feature request related to a problem? Please describe
No response
Describe the solution you'd like
No response
Describe alternatives you've considered
No response
Additional context
No response
When deserializing, checking the classes against the disallow list (for instance) does take a certain amount of time.
This check only happens at the first time, and the result will be cached. Currently the classes in DisallowedList are definitly should not be serialized. If there are some classes in this list that needs be serialized, users can invoke fory#registerSerializer ahead when creating fory. In this way, it can walk around this limit. And since users registered them own serializers, it's the user's duty for the serialization safety
@chaokunyang thanks for the response. I guess you are saying that the disallow list check is so cheap that there is no point allowing users to skip it?