Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. #14193

Closed
3 of 4 tasks
songxiaosheng opened this issue May 15, 2024 · 8 comments
Closed
3 of 4 tasks

[Bug] [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. #14193

songxiaosheng opened this issue May 15, 2024 · 8 comments
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage

Comments

@songxiaosheng
Copy link
Member

Pre-check

  • I am sure that all the content I provide is in English.

Search before asking

  • I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

dubbo-3.3.0-beta.3-SNAPSHOT.jar

Steps to reproduce this issue

when i upgrade dubbo-3.3.0-beta.3-SNAPSHOT.jar it will show this error,i think it is violent and incompatible

Wrapped by: java.util.concurrent.ExecutionException: org.apache.dubbo.remoting.RemotingException: java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
	at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.handleToIOException(DefaultSerializationExceptionWrapper.java:353)
	at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.access$000(DefaultSerializationExceptionWrapper.java:27)
	at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper$ProxyObjectInput.readThrowable(DefaultSerializationExceptionWrapper.java:181)
	at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.handleException(DecodeableRpcResult.java:186)
	at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:114)
	at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:153)
	at org.apache.dubbo.remoting.transport.DecodeHandler.decode(DecodeHandler.java:61)
	at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:49)
	at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64)
	at org.apache.dubbo.common.threadpool.ThreadlessExecutor$RunnableWrapper.run(ThreadlessExecutor.java:151)
	at org.apache.dubbo.common.threadpool.ThreadlessExecutor.waitAndDrain(ThreadlessExecutor.java:77)

What you expected to happen

The upgrade package version should not directly cause incompatible errors. Can this check be turned off by default?

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • Yes I am willing to submit a pull request on my own!

Code of Conduct
@songxiaosheng songxiaosheng added type/need-triage Need maintainers to triage component/need-triage Need maintainers to triage labels May 15, 2024
@songxiaosheng songxiaosheng changed the title [Bug] [Bug] [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. May 15, 2024
@AlbumenJ
Copy link
Member

Please add it into the default allow list

@songxiaosheng
Copy link
Member Author

Please add it into the default allow list

Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading

@AlbumenJ
Copy link
Member

Please add it into the default allow list

Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading

No, blacklist cannot resolve the serialization risk. Security is more impartant that usability.

@xixingya
Copy link
Contributor

maybe set SerializeCheckStatus mode to warn can works?
image

@xixingya
Copy link
Contributor

Perhaps you can add the following content to the public namespace of Dubbo in the configuration center.

dubbo:
  application:
    serialize-check-status: WARN

@xixingya
Copy link
Contributor

If there are no further issues, please close this issue. @songxiaosheng

@github-project-automation github-project-automation bot moved this from Todo to Done in Dubbo Board May 27, 2024
@VincentLee-EN
Copy link

Please add it into the default allow list

how to add?

@wcy666103
Copy link
Contributor

Please add it into the default allow list

how to add?

I hope this helps you https://cn.dubbo.apache.org/zh-cn/overview/mannual/java-sdk/tasks/security/class-check/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage
Projects
Dubbo Board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@AlbumenJ @VincentLee-EN @xixingya @wcy666103 @songxiaosheng