Hi Dubbo community,
The current serialization method used by Dubbo allows for
deserialization of any class by default (except for those in the
blacklist). However, we must consider whether to continue allowing
deserialization of any class or restrict it to only classes on
interface signatures.
Option 1: Allow deserialization of any class Benefits: This approach
provides high ease of use for Dubbo, and users do not need to consider
how to define parameters. Disadvantages: Due to the class mechanism
under the Java system, this approach presents certain difficulties
that can lead to remote command execution (RCE) and security risks.
Option 2: Only allow classes on interface signatures Benefits: This
approach can limit most security risks. Disadvantages: Java's generics
and parent-child class transfers are severely restricted, and users
must define specific interfaces like IDL.
None of the following scenarios can be used:
```java
package com.example.dubbo;
public interface BaseResult {
}
public class User implements BaseResult {
public String name;
}
public interface DemoService {
BaseResult getUser();
Object getObject();
}
public class DemoServiceImpl implements DemoService {
public BaseResult listUser() {
// cast from User to BaseResult
return new User();
}
public Object getObject() {
// cast from User to Object
return new User();
}
}
```
```java
package com.example.dubbo;
public class User {
public String name;
}
public class TestException extends RuntimeException {
}
public interface DemoService {
User getUser();
}
public class DemoServiceImpl implements DemoService {
public User listUser() {
throw new TestException();
}
}
```
Please reply below this email to let us know how to proceed.
Thanks,
Albumen Kevin
