thmd opened a new issue, #3530: URL: https://github.com/apache/fory/issues/3530
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/fory/issues) and found no similar issues. ### Version ``` Fory f = Fory.builder() .withLanguage(Language.JAVA) .requireClassRegistration(true) .withRefTracking(true) .withRefCopy(true) .withNumberCompressed(false) .serializeEnumByName(true) .withClassLoader(classLoader) .build(); ``` This is my Fory serializer setup like the documentation with checker.allowClass("my.packages.*"); But running it like this give me following exception ``` [org.apache.fory.Fory:156] INFO - Created new fory org.apache.fory.Fory@4b078f28 201 org.apache.fory.exception.InsecureException: class MyUnRegisteredClassThatsInAllowList is not registered, please check whether it's the type you want to serialize or a **vulnerability**. If safe, you should invoke `Fory#register` to register class, which will have better performance by skipping classname serialization. If your env is 100% secure, you can also avoid this exception by disabling class registration check using `ForyBuilder#requireClassRegistration(false)` ``` ### Component(s) JavaScript, Java ### Minimal reproduce step Serializing a class that's not registed but covered in AllowListChecker fails. ### What did you expect to see? Fory not throwing any exception. ### What did you see instead? Exception from Fory even though the class package is in AllowListChecker ### Anything Else? _No response_ ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
