I think it is better to use the interface signature, but the problem now is
that the experience for old dubbo users is destructive.
Thanks,
EarthChen
Albumen Kevin <album...@apache.org> 于2023年4月12日周三 10:30写道:
> Hi Dubbo community,
>
> The current serialization method used by Dubbo allows for
> deserialization of any class by default (except for those in the
> blacklist). However, we must consider whether to continue allowing
> deserialization of any class or restrict it to only classes on
> interface signatures.
>
> Option 1: Allow deserialization of any class Benefits: This approach
> provides high ease of use for Dubbo, and users do not need to consider
> how to define parameters. Disadvantages: Due to the class mechanism
> under the Java system, this approach presents certain difficulties
> that can lead to remote command execution (RCE) and security risks.
>
> Option 2: Only allow classes on interface signatures Benefits: This
> approach can limit most security risks. Disadvantages: Java's generics
> and parent-child class transfers are severely restricted, and users
> must define specific interfaces like IDL.
>
> None of the following scenarios can be used:
> ```java
> package com.example.dubbo;
>
> public interface BaseResult {
>
> }
>
> public class User implements BaseResult {
> public String name;
> }
>
> public interface DemoService {
> BaseResult getUser();
> Object getObject();
> }
>
> public class DemoServiceImpl implements DemoService {
> public BaseResult listUser() {
> // cast from User to BaseResult
> return new User();
> }
>
> public Object getObject() {
> // cast from User to Object
> return new User();
> }
> }
> ```
>
> ```java
> package com.example.dubbo;
>
> public class User {
> public String name;
> }
>
> public class TestException extends RuntimeException {
> }
>
> public interface DemoService {
> User getUser();
> }
>
> public class DemoServiceImpl implements DemoService {
> public User listUser() {
> throw new TestException();
> }
> }
> ```
>
> Please reply below this email to let us know how to proceed.
>
> Thanks,
> Albumen Kevin
>
