diff --git a/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java b/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java index 403011d4e28..dd4ede80660 100644 --- a/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java +++ b/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java @@ -389,6 +389,8 @@ public interface CommonConstants { String DEFAULT_VERSION = "0.0.0"; + String CLASS_DESERIALIZE_OPEN_CHECK = "dubbo.security.serialize.openCheckClass"; + String CLASS_DESERIALIZE_BLOCK_ALL = "dubbo.security.serialize.blockAllClassExceptAllow"; String CLASS_DESERIALIZE_ALLOWED_LIST = "dubbo.security.serialize.allowedClassList"; diff --git a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java index b75ae65a0ec..26930950aa1 100644 --- a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java +++ b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java @@ -32,6 +32,7 @@ public class SerializeClassChecker { private static volatile SerializeClassChecker INSTANCE = null; + private final boolean OPEN_CHECK_CLASS; private final boolean BLOCK_ALL_CLASS_EXCEPT_ALLOW; private final Set CLASS_DESERIALIZE_ALLOWED_SET = new ConcurrentHashSet<>(); private final Set CLASS_DESERIALIZE_BLOCKED_SET = new ConcurrentHashSet<>(); @@ -43,6 +44,9 @@ public class SerializeClassChecker { private final AtomicLong counter = new AtomicLong(0); private SerializeClassChecker() { + String openCheckClass = System.getProperty(CommonConstants.CLASS_DESERIALIZE_OPEN_CHECK, "true"); + OPEN_CHECK_CLASS = Boolean.parseBoolean(openCheckClass); + String blockAllClassExceptAllow = System.getProperty(CommonConstants.CLASS_DESERIALIZE_BLOCK_ALL, "false"); BLOCK_ALL_CLASS_EXCEPT_ALLOW = Boolean.parseBoolean(blockAllClassExceptAllow); @@ -107,6 +111,10 @@ protected static void clearInstance() { * @param name class name ( all are convert to lower case ) */ public void validateClass(String name) { + if(!OPEN_CHECK_CLASS){ + return; + } + name = name.toLowerCase(Locale.ROOT); if (CACHE == CLASS_ALLOW_LFU_CACHE.get(name)) { return;