apache/fory

dubbo-serialization-fury allowList/allowListPrefix doesn't take affect

Open

#1651 aperta il 28 mag 2024

Vedi su GitHub
 (1 commento) (0 reazioni) (0 assegnatari)Java (426 fork)auto 404
enhancementgood first issue

Metriche repository

Star
 (4419 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Is your feature request related to a problem? Please describe.

When Dubbo class serialization security check is enabled:

dubbo.application.serialize-check-status=STRICT
dubbo.application.auto-trust-serialize-class=true
dubbo.application.trust-serialize-class-level=3

Dubbo Serialization Fury keeps running an exception during deserialization, indicating that it is not in the serialization allowlist.

After debugging, the reason for this exception is that FuryCheckerListener#notifyPrefix method calls AllowListChecker without adding * to the allowedList and Fury AllowListChecker uses the suffix character * to determine whether it is a prefix match or an exact match..

For example, for DTO io.github.playground.server.model.User, the allowedList finally parsed by the dubbo security mechanism io.github.playground is added to AllowListChecker through FuryCheckerListener and saved in allowList instead of allowListPrefix.

Describe the solution you'd like

FuryCheckerListener adapts to AllowListChecker by appending the suffix character * .

Additional context

dubbo: 3.2 dubbo-serialization-fury: 3.2.0 dubbo security mechanism: https://cn.dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/class-check/

Guida contributor