This is an automated email from the ASF dual-hosted git repository.
jimin pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/incubator-seata.git
The following commit(s) were added to refs/heads/2.x by this push:
new d2a18aef82 optimize: optimize fury deserialization (#7498)
d2a18aef82 is described below
commit d2a18aef82c08535e4134642070c39d98654f0f6
Author: GoodBoyCoder <[email protected]>
AuthorDate: Sat Jul 5 23:18:31 2025 +0800
optimize: optimize fury deserialization (#7498)
---
changes/en-us/2.x.md | 2 ++
changes/zh-cn/2.x.md | 2 ++
.../org/apache/seata/serializer/fury/FurySerializerFactory.java | 7 ++++---
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
index 2e71d727c2..dd5580e529 100644
--- a/changes/en-us/2.x.md
+++ b/changes/en-us/2.x.md
@@ -31,6 +31,7 @@ Add changes here for all PR submitted to the 2.x branch.
- [[#7356](https://github.com/apache/incubator-seata/pull/7356)] fix codecov
bug
- [[#7370](https://github.com/apache/incubator-seata/pull/7370)] fix
ISSUE_TEMPLATE not work
- [[#7397](https://github.com/apache/incubator-seata/pull/7397)] Resolve
NullPointer and port binding errors
+- [[#7498](https://github.com/apache/incubator-seata/pull/7498)] fix the class
name whitelist check issue in fury deserialization
### optimize:
@@ -138,6 +139,7 @@ Thanks to these contributors for their code commits. Please
report an unintended
- [jsbxyyx](https://github.com/jsbxyyx)
- [simzyoo](https://github.com/simzyoo)
- [Dltmd202](https://github.com/Dltmd202)
+- [GoodBoyCoder](https://github.com/GoodBoyCoder)
diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
index 0381b40c3d..feb02abf81 100644
--- a/changes/zh-cn/2.x.md
+++ b/changes/zh-cn/2.x.md
@@ -30,6 +30,7 @@
- [[#7356](https://github.com/apache/incubator-seata/pull/7356)] 修复 codecov 错误
- [[#7370](https://github.com/apache/incubator-seata/pull/7370)] 修复
ISSUE_TEMPLATE 不可用
- [[#7397](https://github.com/apache/incubator-seata/pull/7397)] 解决空指针和端口绑定错误
+- [[#7498](https://github.com/apache/incubator-seata/pull/7498)]
修复fury反序列化的类名白名单检查问题
### optimize:
@@ -138,6 +139,7 @@
- [YvCeung](https://github.com/YvCeung)
- [jsbxyyx](https://github.com/jsbxyyx)
- [simzyoo](https://github.com/simzyoo)
+- [GoodBoyCoder](https://github.com/GoodBoyCoder)
同时,我们收到了社区反馈的很多有价值的issue和建议,非常感谢大家。
diff --git
a/serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java
b/serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java
index dc50b5bd33..f99358622a 100644
---
a/serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java
+++
b/serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java
@@ -21,6 +21,7 @@ import org.apache.fury.ThreadLocalFury;
import org.apache.fury.ThreadSafeFury;
import org.apache.fury.config.CompatibleMode;
import org.apache.fury.config.Language;
+import org.apache.fury.resolver.AllowListChecker;
import org.apache.seata.core.serializer.SerializerSecurityRegistry;
public class FurySerializerFactory {
@@ -41,9 +42,9 @@ public class FurySerializerFactory {
.build();
// register allow class
- f.getClassResolver()
- .setClassChecker((classResolver, className) ->
-
SerializerSecurityRegistry.getAllowClassPattern().contains(className));
+ AllowListChecker checker = new
AllowListChecker(AllowListChecker.CheckLevel.STRICT);
+ f.getClassResolver().setClassChecker(checker);
+
checker.allowClasses(SerializerSecurityRegistry.getAllowClassPattern());
return f;
});
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
