Skip to content

[Bug] In DefaultSerializeClassChecker When the check mode is WARN, an exception still occurs. #15179

Open
@wuwen5

Description

@wuwen5

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

Dubbo Java 3.2.16、3.3.3

Steps to reproduce this issue

@Test
void testCheckStatusWarn() throws IOException {
    FrameworkModel frameworkModel = new FrameworkModel();
    SerializeSecurityManager ssm = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
    ssm.setCheckStatus(SerializeCheckStatus.WARN);

    Serialization serialization = frameworkModel.getExtensionLoader(Serialization.class)
        //When using fastjson2, it's ok.
        .getExtension("hessian2");
    URL url = URL.valueOf("").setScopeModel(frameworkModel);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ObjectOutput objectOutput = serialization.serialize(url, outputStream);
    objectOutput.writeObject(Level.ALL);
    objectOutput.flushBuffer();

    Assertions.assertDoesNotThrow(() -> serialization.deserialize(url, new 
        ByteArrayInputStream(outputStream.toByteArray())));
}

@Test
void testCommon() throws ClassNotFoundException {
    FrameworkModel.defaultModel()
        .getBeanFactory()
        .getBean(SerializeSecurityManager.class)
        .setCheckStatus(SerializeCheckStatus.WARN);
    DefaultSerializeClassChecker defaultSerializeClassChecker = DefaultSerializeClassChecker.getInstance();
       
    Assertions.assertDoesNotThrow(() -> {
        defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName());
        });
    Assertions.assertNotEquals(
        Socket.class, defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName()));
}

What you expected to happen

No exceptions,Expected to be consistent with the logic and results of Fastjson2SecurityManager

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedEverything needs help from contributorstype/enhancementEverything related with code enhancement or performance

    Type

    No type

    Projects

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions