This is an automated email from the ASF dual-hosted git repository.
liujun pushed a commit to branch 2.6.x
in repository https://gitbox.apache.org/repos/asf/dubbo.git
The following commit(s) were added to refs/heads/2.6.x by this push:
new 112990d backport changes from 2.7(#5767)
112990d is described below
commit 112990d06396ba9df3070a4eee077870c724cb82
Author: ken.lj <[email protected]>
AuthorDate: Thu Feb 20 22:35:53 2020 +0800
backport changes from 2.7(#5767)
---
distribution/src/assembly/source-release.xml | 1 +
.../alibaba/dubbo/common/utils/SerialDetector.java | 209 +++++++++++++++++++++
.../src/main/resources/serial-blacklist.properties | 101 ++++++++++
.../dubbo/common/utils/SerialDetectorTest.java | 45 +++++
dubbo-common/src/test/resources/dubbo.properties | 4 +-
.../src/test/resources/security/invalid_data.ser | Bin 0 -> 4002 bytes
.../http/CodebaseAwareObjectInputStream.java | 49 +++++
.../protocol/http/HttpInvokerServiceExporter.java | 33 ++++
.../dubbo/rpc/protocol/http/HttpProtocol.java | 1 -
.../serialize/java/CompactedObjectInputStream.java | 20 ++
.../common/serialize/java/JavaObjectInput.java | 6 +-
.../nativejava/NativeJavaObjectInput.java | 3 +-
12 files changed, 466 insertions(+), 6 deletions(-)
diff --git a/distribution/src/assembly/source-release.xml
b/distribution/src/assembly/source-release.xml
index bbbec61..1eda564 100644
--- a/distribution/src/assembly/source-release.xml
+++ b/distribution/src/assembly/source-release.xml
@@ -49,6 +49,7 @@
<exclude>**/.mvn/**</exclude>
<exclude>**/*.jar</exclude>
<exclude>**/mvnw*</exclude>
+ <exclude>**/invalid_data.ser</exclude>
</excludes>
</fileSet>
</fileSets>
diff --git
a/dubbo-common/src/main/java/com/alibaba/dubbo/common/utils/SerialDetector.java
b/dubbo-common/src/main/java/com/alibaba/dubbo/common/utils/SerialDetector.java
new file mode 100644
index 0000000..e4d47c1
--- /dev/null
+++
b/dubbo-common/src/main/java/com/alibaba/dubbo/common/utils/SerialDetector.java
@@ -0,0 +1,209 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alibaba.dubbo.common.utils;
+
+import com.alibaba.dubbo.common.Constants;
+import com.alibaba.dubbo.common.logger.Logger;
+import com.alibaba.dubbo.common.logger.LoggerFactory;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class SerialDetector extends ObjectInputStream {
+
+ private static final Logger logger =
LoggerFactory.getLogger(SerialDetector.class);
+
+ private static final BlacklistConfiguration configuration = new
BlacklistConfiguration();
+
+ /**
+ * Wrapper Constructor.
+ *
+ * @param inputStream The original InputStream, used by your service to
receive serialized objects
+ * @throws java.io.IOException File I/O exception
+ * @throws IllegalStateException Invalid configuration exception
+ */
+ public SerialDetector(final InputStream inputStream) throws IOException {
+ super(inputStream);
+ }
+
+ @Override
+ protected Class<?> resolveClass(final ObjectStreamClass serialInput)
throws IOException, ClassNotFoundException {
+ if (isClassInBlacklist(serialInput)) {
+ if (!configuration.shouldCheck()) {
+ // Reporting mode
+ logger.info(String.format("Blacklist match: '%s'",
serialInput.getName()));
+ } else {
+ // Blocking mode
+ logger.error(String.format("Blocked by blacklist'. Match found
for '%s'", serialInput.getName()));
+ throw new InvalidClassException(serialInput.getName(), "Class
blocked from deserialization (blacklist)");
+ }
+ }
+
+ return super.resolveClass(serialInput);
+ }
+
+ public static boolean isClassInBlacklist(final ObjectStreamClass
serialInput) {
+ // Enforce SerialDetector's blacklist
+ Iterable<Pattern> blacklistIterable = configuration.blacklist();
+ if (blacklistIterable == null) {
+ return false;
+ }
+
+ boolean inBlacklist = false;
+ for (Pattern blackPattern : blacklistIterable) {
+ Matcher blackMatcher = blackPattern.matcher(serialInput.getName());
+ if (blackMatcher.find()) {
+ inBlacklist = true;
+ break;
+ }
+ }
+ return inBlacklist;
+ }
+
+ public static boolean shouldCheck() {
+ return configuration.shouldCheck();
+ }
+
+ static final class BlacklistConfiguration {
+ private static final String DUBBO_SECURITY_SERIALIZATION_CHECK =
"dubbo.security.serialization.check";
+ private static final String DUBBO_SECURITY_SERIALIZATION_BLACKLIST =
"dubbo.security.serialization.blacklist";
+ private static final String
DUBBO_SECURITY_SERIALIZATION_BLACKLIST_FILE =
"dubbo.registry.serialization.blacklist.file";
+
+ private boolean check;
+ private PatternList blacklistPattern;
+
+ BlacklistConfiguration() {
+ try {
+ check =
Boolean.parseBoolean(getSecurityProperty(DUBBO_SECURITY_SERIALIZATION_CHECK,
"false"));
+ String blacklist =
getSecurityProperty(DUBBO_SECURITY_SERIALIZATION_BLACKLIST, "");
+ if (StringUtils.isEmpty(blacklist)) {
+ String blacklistFile =
getSecurityProperty(DUBBO_SECURITY_SERIALIZATION_BLACKLIST_FILE, "");
+ if (StringUtils.isNotEmpty(blacklistFile)) {
+ blacklist = loadBlacklistFile(blacklistFile);
+ }
+ }
+ blacklistPattern = new
PatternList(Constants.COMMA_SPLIT_PATTERN.split(blacklist));
+ } catch (Throwable t) {
+ logger.warn("Failed to initialize the Serialization Security
Checker component!", t);
+ }
+ }
+
+ Iterable<Pattern> blacklist() {
+ return blacklistPattern;
+ }
+
+ boolean shouldCheck() {
+ return check;
+ }
+
+ private String loadBlacklistFile(String fileName) {
+ StringBuilder blacklist = new StringBuilder();
+ InputStream is = null;
+
+ File file = new File(fileName);
+ if (file.exists()) {
+ try {
+ is = new FileInputStream(fileName);
+ } catch (Throwable e) {
+ logger.warn("Failed to load " + fileName + " file " +
e.getMessage(), e);
+ }
+ } else {
+ is =
this.getClass().getClassLoader().getResourceAsStream(fileName);
+ }
+
+ try {
+ BufferedReader reader = new BufferedReader(new
InputStreamReader(is));
+ String line = null;
+ while ((line = reader.readLine()) != null) {
+ if (!line.startsWith("#") && StringUtils.isNotEmpty(line))
{
+ blacklist.append(line);
+ blacklist.append(",");
+ }
+ }
+ } catch (Throwable e) {
+ logger.warn("Failed to read from file " + fileName +
e.getMessage(), e);
+ }
+ return blacklist.toString();
+ }
+
+ private String getSecurityProperty(String key, String defaultValue) {
+ String value = ConfigUtils.getSystemProperty(key);
+ if (StringUtils.isEmpty(value)) {
+ value = ConfigUtils.getProperty(key);
+ }
+ return StringUtils.isEmpty(value) ? defaultValue : value;
+ }
+
+ }
+
+ static final class PatternList implements Iterable<Pattern> {
+ private final Pattern[] patterns;
+
+ PatternList(final String... regExps) {
+
+ for (int i = 0; i < regExps.length; i++) {
+ if (regExps[i] == null) {
+ throw new IllegalStateException("Deserialization blacklist
reg expression cannot be null!");
+ }
+ }
+
+ this.patterns = new Pattern[regExps.length];
+ for (int i = 0; i < regExps.length; i++) {
+ patterns[i] = Pattern.compile(regExps[i]);
+ }
+ }
+
+ @Override
+ public Iterator<Pattern> iterator() {
+ return new Iterator<Pattern>() {
+ int index = 0;
+
+ @Override
+ public boolean hasNext() {
+ return index < patterns.length;
+ }
+
+ @Override
+ public Pattern next() {
+ return patterns[index++];
+ }
+
+ @Override
+ public void remove() {
+ throw new UnsupportedOperationException("remove");
+ }
+ };
+ }
+
+ @Override
+ public String toString() {
+ return Arrays.toString(patterns);
+ }
+
+ }
+}
\ No newline at end of file
diff --git a/dubbo-common/src/main/resources/serial-blacklist.properties
b/dubbo-common/src/main/resources/serial-blacklist.properties
new file mode 100644
index 0000000..0f82e25
--- /dev/null
+++ b/dubbo-common/src/main/resources/serial-blacklist.properties
@@ -0,0 +1,101 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+bsh.XThis
+bsh.Interpreter
+com.mchange.v2.c3p0.PoolBackedDataSource
+com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase
+clojure.lang.PersistentArrayMap
+clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a
+org.apache.commons.beanutils.BeanComparator
+org.apache.commons.collections.Transformer
+org.apache.commons.collections.functors.ChainedTransformer
+org.apache.commons.collections.functors.ConstantTransformer
+org.apache.commons.collections.functors.InstantiateTransformer
+org.apache.commons.collections.map.LazyMap
+org.apache.commons.collections.functors.InvokerTransformer
+org.apache.commons.collections.keyvalue.TiedMapEntry
+org.apache.commons.collections4.comparators.TransformingComparator
+org.apache.commons.collections4.functors.InvokerTransformer
+org.apache.commons.collections4.functors.ChainedTransformer
+org.apache.commons.collections4.functors.ConstantTransformer
+org.apache.commons.collections4.functors.InstantiateTransformer
+org.apache.commons.fileupload.disk.DiskFileItem
+org.apache.commons.io.output.DeferredFileOutputStream
+org.apache.commons.io.output.ThresholdingOutputStream
+org.apache.wicket.util.upload.DiskFileItem
+org.apache.wicket.util.io.DeferredFileOutputStream
+org.apache.wicket.util.io.ThresholdingOutputStream
+org.codehaus.groovy.runtime.ConvertedClosure
+org.codehaus.groovy.runtime.MethodClosure
+org.hibernate.engine.spi.TypedValue
+org.hibernate.tuple.component.AbstractComponentTuplizer
+org.hibernate.tuple.component.PojoComponentTuplizer
+org.hibernate.type.AbstractType
+org.hibernate.type.ComponentType
+org.hibernate.type.Type
+org.hibernate.EntityMode
+com.sun.rowset.JdbcRowSetImpl
+org.jboss.interceptor.builder.InterceptionModelBuilder
+org.jboss.interceptor.builder.MethodReference
+org.jboss.interceptor.proxy.DefaultInvocationContextFactory
+org.jboss.interceptor.proxy.InterceptorMethodHandler
+org.jboss.interceptor.reader.ClassMetadataInterceptorReference
+org.jboss.interceptor.reader.DefaultMethodMetadata
+org.jboss.interceptor.reader.ReflectiveClassMetadata
+org.jboss.interceptor.reader.SimpleInterceptorMetadata
+org.jboss.interceptor.spi.instance.InterceptorInstantiator
+org.jboss.interceptor.spi.metadata.InterceptorReference
+org.jboss.interceptor.spi.metadata.MethodMetadata
+org.jboss.interceptor.spi.model.InterceptionType
+org.jboss.interceptor.spi.model.InterceptionModel
+sun.rmi.server.UnicastRef
+sun.rmi.transport.LiveRef
+sun.rmi.transport.tcp.TCPEndpoint
+java.rmi.server.RemoteObject
+java.rmi.server.RemoteRef
+java.rmi.server.UnicastRemoteObject
+sun.rmi.server.ActivationGroupImpl
+sun.rmi.server.UnicastServerRef
+net.sf.json.JSONObject
+org.jboss.weld.interceptor.builder.InterceptionModelBuilder
+org.jboss.weld.interceptor.builder.MethodReference
+org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
+org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
+org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
+org.jboss.weld.interceptor.reader.DefaultMethodMetadata
+org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
+org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
+org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
+org.jboss.weld.interceptor.spi.metadata.InterceptorReference
+org.jboss.weld.interceptor.spi.metadata.MethodMetadata
+org.jboss.weld.interceptor.spi.model.InterceptionModel
+org.jboss.weld.interceptor.spi.model.InterceptionType
+org.python.core.PyObject
+org.python.core.PyBytecode
+org.python.core.PyFunction
+org.mozilla.javascript.**
+org.apache.myfaces.context.servlet.FacesContextImpl
+org.apache.myfaces.context.servlet.FacesContextImplBase
+org.apache.myfaces.el.CompositeELResolver
+org.apache.myfaces.el.unified.FacesELContext
+org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
+com.sun.syndication.feed.impl.ObjectBean
+org.springframework.beans.factory.ObjectFactory
+org.springframework.aop.framework.AdvisedSupport
+org.springframework.aop.target.SingletonTargetSource
+com.vaadin.data.util.NestedMethodProperty
+com.vaadin.data.util.PropertysetItem;
\ No newline at end of file
diff --git
a/dubbo-common/src/test/java/com/alibaba/dubbo/common/utils/SerialDetectorTest.java
b/dubbo-common/src/test/java/com/alibaba/dubbo/common/utils/SerialDetectorTest.java
new file mode 100644
index 0000000..414166a
--- /dev/null
+++
b/dubbo-common/src/test/java/com/alibaba/dubbo/common/utils/SerialDetectorTest.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alibaba.dubbo.common.utils;
+
+import org.junit.Test;
+
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class SerialDetectorTest {
+ @Test
+ public void testBlacklisted() throws Exception {
+ try {
+ ObjectInputStream stream = new
SerialDetector(getClass().getResourceAsStream("/security/invalid_data.ser"));
+ stream.readObject();
+ fail();
+ } catch (InvalidClassException expected) {
+ assertTrue(expected.getMessage().contains("blocked"));
+ assertTrue(expected.getMessage().contains("blacklist"));
+ assertEquals(expected.classname,
"org.hibernate.engine.spi.TypedValue");
+ } catch (ClassNotFoundException e) {
+ fail(e.getMessage());
+ }
+ }
+
+
+}
diff --git a/dubbo-common/src/test/resources/dubbo.properties
b/dubbo-common/src/test/resources/dubbo.properties
index 15936f9..b505a9e 100644
--- a/dubbo-common/src/test/resources/dubbo.properties
+++ b/dubbo-common/src/test/resources/dubbo.properties
@@ -15,4 +15,6 @@
# limitations under the License.
#
-dubbo=properties
\ No newline at end of file
+dubbo=properties
+dubbo.security.serialization.blacklist=org.hibernate.engine.spi.TypedValue
+dubbo.security.serialization.check=true
\ No newline at end of file
diff --git a/dubbo-common/src/test/resources/security/invalid_data.ser
b/dubbo-common/src/test/resources/security/invalid_data.ser
new file mode 100644
index 0000000..2a3159d
Binary files /dev/null and
b/dubbo-common/src/test/resources/security/invalid_data.ser differ
diff --git
a/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/CodebaseAwareObjectInputStream.java
b/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/CodebaseAwareObjectInputStream.java
new file mode 100644
index 0000000..aba71a7
--- /dev/null
+++
b/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/CodebaseAwareObjectInputStream.java
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alibaba.dubbo.rpc.protocol.http;
+
+import com.alibaba.dubbo.common.logger.Logger;
+import com.alibaba.dubbo.common.logger.LoggerFactory;
+import com.alibaba.dubbo.common.utils.SerialDetector;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectStreamClass;
+
+public class CodebaseAwareObjectInputStream extends
org.springframework.remoting.rmi.CodebaseAwareObjectInputStream {
+ private static final Logger logger =
LoggerFactory.getLogger(CodebaseAwareObjectInputStream.class);
+
+ public CodebaseAwareObjectInputStream(InputStream in, ClassLoader
classLoader, boolean acceptProxyClasses) throws IOException {
+ super(in, classLoader, acceptProxyClasses);
+ }
+
+ @Override
+ protected Class<?> resolveClass(ObjectStreamClass serialInput) throws
IOException, ClassNotFoundException {
+ if (SerialDetector.isClassInBlacklist(serialInput)) {
+ if (!SerialDetector.shouldCheck()) {
+ // Reporting mode
+ logger.info(String.format("Blacklist match: '%s'",
serialInput.getName()));
+ } else {
+ // Blocking mode
+ logger.error(String.format("Blocked by blacklist'. Match found
for '%s'", serialInput.getName()));
+ throw new InvalidClassException(serialInput.getName(), "Class
blocked from deserialization (blacklist)");
+ }
+ }
+ return super.resolveClass(serialInput);
+ }
+}
diff --git
a/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpInvokerServiceExporter.java
b/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpInvokerServiceExporter.java
new file mode 100644
index 0000000..f50a8da
--- /dev/null
+++
b/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpInvokerServiceExporter.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alibaba.dubbo.rpc.protocol.http;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+
+/**
+ * Wrap InputStream to avoid well-known java serialization security issue.
+ */
+public class HttpInvokerServiceExporter extends
org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter {
+
+ @Override
+ protected ObjectInputStream createObjectInputStream(InputStream is) throws
IOException {
+ return new CodebaseAwareObjectInputStream(is,
super.getBeanClassLoader(), super.isAcceptProxyClasses());
+ }
+
+}
diff --git
a/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpProtocol.java
b/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpProtocol.java
index 3fc9087..bd6909d 100644
---
a/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpProtocol.java
+++
b/dubbo-rpc/dubbo-rpc-http/src/main/java/com/alibaba/dubbo/rpc/protocol/http/HttpProtocol.java
@@ -30,7 +30,6 @@ import org.aopalliance.intercept.MethodInvocation;
import org.springframework.remoting.RemoteAccessException;
import
org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor;
import org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean;
-import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
import
org.springframework.remoting.httpinvoker.SimpleHttpInvokerRequestExecutor;
import org.springframework.remoting.support.RemoteInvocation;
import org.springframework.remoting.support.RemoteInvocationFactory;
diff --git
a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/CompactedObjectInputStream.java
b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/CompactedObjectInputStream.java
index 9732351..7ad6bb2 100644
---
a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/CompactedObjectInputStream.java
+++
b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/CompactedObjectInputStream.java
@@ -16,11 +16,15 @@
*/
package com.alibaba.dubbo.common.serialize.java;
+import com.alibaba.dubbo.common.logger.Logger;
+import com.alibaba.dubbo.common.logger.LoggerFactory;
import com.alibaba.dubbo.common.utils.ClassHelper;
+import com.alibaba.dubbo.common.utils.SerialDetector;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
+import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.io.StreamCorruptedException;
@@ -29,6 +33,7 @@ import java.io.StreamCorruptedException;
* Compacted java object input stream.
*/
public class CompactedObjectInputStream extends ObjectInputStream {
+ private static final Logger logger =
LoggerFactory.getLogger(CompactedObjectInputStream.class);
private ClassLoader mClassLoader;
public CompactedObjectInputStream(InputStream in) throws IOException {
@@ -41,6 +46,21 @@ public class CompactedObjectInputStream extends
ObjectInputStream {
}
@Override
+ protected Class<?> resolveClass(ObjectStreamClass desc) throws
IOException, ClassNotFoundException {
+ if (SerialDetector.isClassInBlacklist(desc)) {
+ if (!SerialDetector.shouldCheck()) {
+ // Reporting mode
+ logger.info(String.format("Blacklist match: '%s'",
desc.getName()));
+ } else {
+ // Blocking mode
+ logger.error(String.format("Blocked by blacklist'. Match found
for '%s'", desc.getName()));
+ throw new InvalidClassException(desc.getName(), "Class blocked
from deserialization (blacklist)");
+ }
+ }
+ return super.resolveClass(desc);
+ }
+
+ @Override
protected ObjectStreamClass readClassDescriptor() throws IOException,
ClassNotFoundException {
int type = read();
if (type < 0)
diff --git
a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/JavaObjectInput.java
b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/JavaObjectInput.java
index 9a74f66..d8e4808 100644
---
a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/JavaObjectInput.java
+++
b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/java/JavaObjectInput.java
@@ -17,10 +17,10 @@
package com.alibaba.dubbo.common.serialize.java;
import com.alibaba.dubbo.common.serialize.nativejava.NativeJavaObjectInput;
+import com.alibaba.dubbo.common.utils.SerialDetector;
import java.io.IOException;
import java.io.InputStream;
-import java.io.ObjectInputStream;
import java.lang.reflect.Type;
/**
@@ -30,11 +30,11 @@ public class JavaObjectInput extends NativeJavaObjectInput {
public final static int MAX_BYTE_ARRAY_LENGTH = 8 * 1024 * 1024;
public JavaObjectInput(InputStream is) throws IOException {
- super(new ObjectInputStream(is));
+ super(new SerialDetector(is));
}
public JavaObjectInput(InputStream is, boolean compacted) throws
IOException {
- super(compacted ? new CompactedObjectInputStream(is) : new
ObjectInputStream(is));
+ super(compacted ? new CompactedObjectInputStream(is) : new
SerialDetector(is));
}
@Override
diff --git
a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/nativejava/NativeJavaObjectInput.java
b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/nativejava/NativeJavaObjectInput.java
index dfbf859..d3a6549 100644
---
a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/nativejava/NativeJavaObjectInput.java
+++
b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/com/alibaba/dubbo/common/serialize/nativejava/NativeJavaObjectInput.java
@@ -19,6 +19,7 @@ package com.alibaba.dubbo.common.serialize.nativejava;
import com.alibaba.dubbo.common.serialize.ObjectInput;
import com.alibaba.dubbo.common.utils.Assert;
+import com.alibaba.dubbo.common.utils.SerialDetector;
import java.io.IOException;
import java.io.InputStream;
@@ -30,7 +31,7 @@ public class NativeJavaObjectInput implements ObjectInput {
private final ObjectInputStream inputStream;
public NativeJavaObjectInput(InputStream is) throws IOException {
- this(new ObjectInputStream(is));
+ this(new SerialDetector(is));
}
protected NativeJavaObjectInput(ObjectInputStream is) {
