add doc, simply blocked list

apache · Mar 25, 2021 · 0e5fe72 · 0e5fe72
1 parent ac3b302
commit 0e5fe72
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 55 deletions.
diff --git a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java
@@ -100,6 +100,12 @@ protected static void clearInstance() {
         INSTANCE = null;
     }
 
+    /**
+     * Check if a class is in block list, using prefix match
+     *
+     * @throws IllegalArgumentException if class is blocked
+     * @param name class name ( all are convert to lower case )
+     */
     public void validateClass(String name) {
         name = name.toLowerCase(Locale.ROOT);
         if (CACHE == CLASS_ALLOW_LFU_CACHE.get(name)) {

diff --git a/dubbo-common/src/main/resources/security/serialize.blockedlist b/dubbo-common/src/main/resources/security/serialize.blockedlist
@@ -19,24 +19,17 @@
 aj.org.objectweb.asm.
 br.com.anteros.
 ch.qos.logback.
-ch.qos.logback.core.db.jndiconnectionsource
 clojure.core$constantly
 clojure.main$eval_opt
 com.alibaba.citrus.springext.support.parser.abstractnamedproxybeandefinitionparser$proxytargetfactory
-com.alibaba.citrus.springext.support.parser.abstractnamedproxybeandefinitionparser$proxytargetfactoryimpl
 com.alibaba.citrus.springext.util.springextutil.abstractproxy
 com.alibaba.druid.pool.druiddatasource
 com.alibaba.druid.stat.jdbcdatasourcestat
 com.alibaba.fastjson.annotation
 com.alipay.custrelation.service.model.redress.pair
 com.caucho.
-com.caucho.hessian.test.testcons
-com.caucho.naming.qname
 com.ibatis.
-com.ibatis.sqlmap.engine.datasource
 com.mchange
-com.mchange.v2.c3p0.jndirefforwardingdatasource
-com.mchange.v2.c3p0.wrapperconnectionpooldatasource
 com.mysql.cj.jdbc.admin.
 com.mysql.cj.jdbc.mysqlconnectionpooldatasource
 com.mysql.cj.jdbc.mysqldatasource
@@ -46,18 +39,9 @@ com.p6spy.engine.
 com.rometools.rome.feed.impl.equalsbean
 com.rometools.rome.feed.impl.tostringbean
 com.sun.
-com.sun.jndi.rmi.registry.bindingenumeration
-com.sun.jndi.toolkit.dir.lazysearchenumerationimpl
-com.sun.org.apache.bcel.internal.util.classloader
-com.sun.org.apache.xalan.internal.xsltc.trax.templatesimpl
-com.sun.org.apache.xml.internal.security.signature.xmlsignatureinput
-com.sun.org.apache.xpath
-com.sun.rowset.jdbcrowsetimpl
-com.sun.xml.internal.bind.v2.runtime.unmarshaller.base64data
 com.taobao.eagleeye.wrapper
 com.zaxxer.hikari.
 flex.messaging.util.concurrent.
-flex.messaging.util.concurrent.asynchbeansworkmanagerexecutor
 java.awt.i
 java.awt.p
 java.beans.expression
@@ -76,7 +60,6 @@ java.net.inetaddress
 java.net.socket
 java.net.url
 java.rmi
-java.rmi.server.unicastremoteobject
 java.security.signedobject
 java.util.collection
 java.util.eventlistener
@@ -85,23 +68,15 @@ java.util.logging.
 java.util.prefs.
 java.util.serviceloader$lazyiterator
 javassist.
-javassist.bytecode
-javassist.tools.web.viewer
 javax.activation.
 javax.imageio.imageio$containsfilter
 javax.imageio.spi.serviceregistry
 javax.management.
-javax.management.badattributevalueexpexception
-javax.management.immutabledescriptor
 javax.naming.
-javax.naming.initialcontext
-javax.naming.spi.objectfactory
 javax.net.
 javax.print.
 javax.script.
-javax.script.scriptenginemanager
 javax.sound.
-javax.sound.sampled.audioformat$encoding
 javax.swing.j
 javax.tools.
 javax.xml
@@ -113,11 +88,8 @@ net.sf.cglib.
 net.sf.ehcache.hibernate.
 net.sf.ehcache.transaction.manager.
 oracle.jdbc.
-oracle.jdbc.connector.oraclemanagedconnectionfactory
-oracle.jdbc.rowset.oraclejdbcrowset
 oracle.jms.aq
 oracle.net
-oracle.net.
 org.aoju.bus.proxy.provider.
 org.apache.activemq.activemqconnectionfactory
 org.apache.activemq.activemqxaconnectionfactory
@@ -132,7 +104,6 @@ org.apache.carbondata.core.scan.expression.expressionresult
 org.apache.catalina.
 org.apache.cocoon.
 org.apache.commons.beanutils
-org.apache.commons.beanutils.beanmap
 org.apache.commons.collections.comparators.
 org.apache.commons.collections.functors
 org.apache.commons.collections.functors.
@@ -141,9 +112,7 @@ org.apache.commons.collections4.comparators
 org.apache.commons.collections4.functors
 org.apache.commons.collections4.transformer
 org.apache.commons.configuration
-org.apache.commons.configuration.jndiconfiguration
 org.apache.commons.dbcp
-org.apache.commons.dbcp.datasources.sharedpooldatasource
 org.apache.commons.fileupload
 org.apache.commons.jelly.
 org.apache.commons.logging.
@@ -155,15 +124,8 @@ org.apache.http.conn.
 org.apache.http.cookie.
 org.apache.http.impl.
 org.apache.ibatis.datasource
-org.apache.ibatis.datasource.
 org.apache.ibatis.executor.
-org.apache.ibatis.executor.loader.abstractserialstateholder
-org.apache.ibatis.executor.loader.cglib.cglibproxyfactory
-org.apache.ibatis.executor.loader.cglibserialstateholder
-org.apache.ibatis.executor.loader.javassist.javassistserialstateholder
-org.apache.ibatis.executor.loader.javassistserialstateholder
 org.apache.ibatis.javassist.
-org.apache.ibatis.javassist.bytecode
 org.apache.ibatis.ognl.
 org.apache.ibatis.parsing.
 org.apache.ibatis.reflection.
@@ -176,20 +138,13 @@ org.apache.openjpa.ee.
 org.apache.shiro.jndi.
 org.apache.shiro.realm.
 org.apache.tomcat
-org.apache.tomcat.dbcp.dbcp.basicdatasource
-org.apache.tomcat.dbcp.dbcp.datasources.sharedpooldatasource
 org.apache.wicket.util
-org.apache.wicket.util.upload.diskfileitem
 org.apache.xalan
-org.apache.xalan.xsltc.trax.templatesimpl
 org.apache.xbean.
-org.apache.xbean.naming.context.contextutil$readonlybinding
 org.apache.xpath.xpathcontext
 org.codehaus.groovy.runtime
-org.codehaus.groovy.runtime.methodclosure
 org.codehaus.jackson.
 org.eclipse.jetty.
-org.eclipse.jetty.util.log.loggerlog
 org.geotools.filter.constantexpression
 org.h2.jdbcx.
 org.h2.server.
@@ -208,15 +163,5 @@ org.python.core
 org.quartz.
 org.slf4j.
 org.springframework.
-org.springframework.aop.aspectj.autoproxy.aspectjawareadvisorautoproxycreator$partiallycomparableadvisorholder
-org.springframework.aop.support.defaultbeanfactorypointcutadvisor
-org.springframework.beans.factory.beanfactory
-org.springframework.beans.factory.config.methodinvokingfactorybean
-org.springframework.beans.factory.config.propertypathfactorybean
-org.springframework.beans.factory.support.defaultlistablebeanfactory
-org.springframework.jndi.jndiobjecttargetsource
-org.springframework.jndi.support.simplejndibeanfactory
-org.springframework.orm.jpa.abstractentitymanagerfactorybean
-org.springframework.transaction.jta.jtatransactionmanager
 org.yaml.snakeyaml.tokens.directivetoken
 sun.rmi.server.unicastref