Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] In DefaultSerializeClassChecker When the check mode is WARN, an exception still occurs. #15179

Open
4 tasks done
wuwen5 opened this issue Feb 26, 2025 · 2 comments
Open
4 tasks done

[Bug] In DefaultSerializeClassChecker When the check mode is WARN, an exception still occurs. #15179

wuwen5 opened this issue Feb 26, 2025 · 2 comments
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage

Comments

@wuwen5
Copy link
Contributor

wuwen5 commented Feb 26, 2025
edited
Loading

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

Dubbo Java 3.2.16、3.3.3

Steps to reproduce this issue

@Test
void testCheckStatusWarn() throws IOException {
    FrameworkModel frameworkModel = new FrameworkModel();
    SerializeSecurityManager ssm = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
    ssm.setCheckStatus(SerializeCheckStatus.WARN);

    Serialization serialization = frameworkModel.getExtensionLoader(Serialization.class)
        //When using fastjson2, it's ok.
        .getExtension("hessian2");
    URL url = URL.valueOf("").setScopeModel(frameworkModel);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ObjectOutput objectOutput = serialization.serialize(url, outputStream);
    objectOutput.writeObject(Level.ALL);
    objectOutput.flushBuffer();

    Assertions.assertDoesNotThrow(() -> serialization.deserialize(url, new 
        ByteArrayInputStream(outputStream.toByteArray())));
}

@Test
void testCommon() throws ClassNotFoundException {
    FrameworkModel.defaultModel()
        .getBeanFactory()
        .getBean(SerializeSecurityManager.class)
        .setCheckStatus(SerializeCheckStatus.WARN);
    DefaultSerializeClassChecker defaultSerializeClassChecker = DefaultSerializeClassChecker.getInstance();
       
    Assertions.assertDoesNotThrow(() -> {
        defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName());
        });
    Assertions.assertNotEquals(
        Socket.class, defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName()));
}

What you expected to happen

No exceptions,Expected to be consistent with the logic and results of Fastjson2SecurityManager

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct
@wuwen5 wuwen5 added component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage labels Feb 26, 2025
@wuwen5 wuwen5 mentioned this issue Feb 26, 2025
Closed
4 tasks
@AlbumenJ
Copy link
Member

This is by design. Because Level.class is in the default deny list. Default deny list has the highest priority

@wuwen5
Copy link
Contributor Author

wuwen5 commented Feb 27, 2025

The Level is just an example I used for unit testing, primarily to highlight the inconsistency with the verification logic in Fastjson2SecurityManager. When using Fastjson2, if the check status is set to WARN, it should log a warning instead of throwing an exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage
Projects
Dubbo Board
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wuwen5 @AlbumenJ