LI123456mo opened a new pull request, #16288: URL: https://github.com/apache/dubbo/pull/16288
## Description This PR resolves a validation bypass during Hessian2 serialization where classes utilizing a custom `writeReplace()` method could inadvertently circumvent security filters. ### Core Changes * **Enforce Validation:** Updated `Hessian2SerializerFactory` to ensure that classes implementing `writeReplace()` are rigorously checked against the `DefaultSerializeClassChecker` allowlist and standard serializable structure validations. * **Security Alignment:** Prevents unauthorized objects from slipping past the framework's serialization guardrails via custom substitution methods. ## Related Issue Fixes #16287 ## Checklist - [x] Code formatted locally via `mvn spotless:apply`. - [x] Clear and concise commit messages maintained. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
