[PR] Fix Hessian2 writeReplace Serializable check bypass [dubbo]

Tue, 02 Jun 2026 22:52:04 -0700 


yuzhiyang1 opened a new pull request, #16307:
URL: https://github.com/apache/dubbo/pull/16307

   ## What is the purpose of the change?
   
   Fixes #16287.
   
   `Hessian2SerializerFactory` currently enforces Dubbo's serialization class 
policy from `getDefaultSerializer()`. However, hessian-lite resolves classes 
with `writeReplace()` before it reaches `getDefaultSerializer()`, so 
non-Serializable classes with `writeReplace()` can bypass the sender-side 
Serializable check.
   
   This change enforces the same class policy in `getSerializer(Class)` for 
replacement-capable classes before delegating to hessian-lite, while keeping 
the existing default serializer/deserializer checks shared through one helper.
   
   ## Brief changelog
   
   - Enforce Dubbo's serialization class policy for Hessian2 classes that 
define `writeReplace()`.
   - Keep existing `getDefaultSerializer()` and `getDefaultDeserializer()` 
checks by sharing the same `checkClass()` helper.
   - Add regression coverage for:
     - non-Serializable class whose `writeReplace()` returns itself;
     - Serializable class whose `writeReplace()` returns a non-Serializable 
replacement with its own `writeReplace()`;
     - valid Serializable replacement path.
   
   ## Verifying this change
   
   - `git diff --check`
   - `mvn -am -pl dubbo-serialization/dubbo-serialization-hessian2 
-Dtest=Hessian2SerializationTest -Dsurefire.failIfNoSpecifiedTests=false 
-Dcheckstyle.skip=true -Drat.skip=true test`
   
   ## Checklist
   
   - [x] Make sure there is a GitHub issue field for the change. (#16287)
   - [x] Write a pull request description that is detailed enough to understand 
what the pull request does, how, and why.
   - [x] Write necessary unit-test to verify your logic correction.
   - [x] Make sure GitHub Actions can pass.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to