Hi Dubbo community, The current serialization method used by Dubbo allows for deserialization of any class by default (except for those in the blacklist). However, we must consider whether to continue allowing deserialization of any class or restrict it to only classes on interface signatures.
Option 1: Allow deserialization of any class Benefits: This approach provides high ease of use for Dubbo, and users do not need to consider how to define parameters. Disadvantages: Due to the class mechanism under the Java system, this approach presents certain difficulties that can lead to remote command execution (RCE) and security risks. Option 2: Only allow classes on interface signatures Benefits: This approach can limit most security risks. Disadvantages: Java's generics and parent-child class transfers are severely restricted, and users must define specific interfaces like IDL. None of the following scenarios can be used: ```java package com.example.dubbo; public interface BaseResult { } public class User implements BaseResult { public String name; } public interface DemoService { BaseResult getUser(); Object getObject(); } public class DemoServiceImpl implements DemoService { public BaseResult listUser() { // cast from User to BaseResult return new User(); } public Object getObject() { // cast from User to Object return new User(); } } ``` ```java package com.example.dubbo; public class User { public String name; } public class TestException extends RuntimeException { } public interface DemoService { User getUser(); } public class DemoServiceImpl implements DemoService { public User listUser() { throw new TestException(); } } ``` Please reply below this email to let us know how to proceed. Thanks, Albumen Kevin