apache/dubbo

[Bug] In `DefaultSerializeClassChecker` When the check mode is `WARN`, an exception still occurs.

Open

#15,179 opened on Feb 26, 2025

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Java (41,524 stars) (26,453 forks)batch import
help wantedtype/enhancement

Description

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

Dubbo Java 3.2.16、3.3.3

Steps to reproduce this issue

@Test
void testCheckStatusWarn() throws IOException {
    FrameworkModel frameworkModel = new FrameworkModel();
    SerializeSecurityManager ssm = frameworkModel.getBeanFactory().getBean(SerializeSecurityManager.class);
    ssm.setCheckStatus(SerializeCheckStatus.WARN);

    Serialization serialization = frameworkModel.getExtensionLoader(Serialization.class)
        //When using fastjson2, it's ok.
        .getExtension("hessian2");
    URL url = URL.valueOf("").setScopeModel(frameworkModel);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ObjectOutput objectOutput = serialization.serialize(url, outputStream);
    objectOutput.writeObject(Level.ALL);
    objectOutput.flushBuffer();

    Assertions.assertDoesNotThrow(() -> serialization.deserialize(url, new 
        ByteArrayInputStream(outputStream.toByteArray())));
}

@Test
void testCommon() throws ClassNotFoundException {
    FrameworkModel.defaultModel()
        .getBeanFactory()
        .getBean(SerializeSecurityManager.class)
        .setCheckStatus(SerializeCheckStatus.WARN);
    DefaultSerializeClassChecker defaultSerializeClassChecker = DefaultSerializeClassChecker.getInstance();
       
    Assertions.assertDoesNotThrow(() -> {
        defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName());
        });
    Assertions.assertNotEquals(
        Socket.class, defaultSerializeClassChecker.loadClass(
            Thread.currentThread().getContextClassLoader(), Socket.class.getName()));
}

What you expected to happen

No exceptions,Expected to be consistent with the logic and results of Fastjson2SecurityManager

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct

Contributor guide

Tech stack
java
Domain
backendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaApache Dubbo basicsSerialization
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Examine DefaultSerializeClassChecker.loadClass method in Apache Dubbo source. Compare with Fastjson2SecurityManager to understand expected warning only behavior. The bug occurs when check status is WARN, but loadClass still throws an exception instead of logging a warning and returning null. Fix should align with Fastjson2SecurityManager's approach. Check issue comments for any additional context.