Hessian2 whitelist (#6378)

fixes #6364
apache · Jul 3, 2020 · 11e728c · 11e728c
1 parent 4aaaea4
commit 11e728c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/dubbo-dependencies-bom/pom.xml b/dubbo-dependencies-bom/pom.xml
@@ -152,7 +152,7 @@
         <activation_version>1.2.0</activation_version>
         <test_container_version>1.11.2</test_container_version>
         <etcd_launcher_version>0.3.0</etcd_launcher_version>
-        <hessian_lite_version>3.2.7</hessian_lite_version>
+        <hessian_lite_version>3.2.8</hessian_lite_version>
         <swagger_version>1.5.19</swagger_version>
         <spring_test_version>4.3.16.RELEASE</spring_test_version>
 

diff --git a/...2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/...2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
@@ -16,11 +16,38 @@
  */
 package org.apache.dubbo.common.serialize.hessian2;
 
+import org.apache.dubbo.common.config.ConfigurationUtils;
+import org.apache.dubbo.common.utils.StringUtils;
+
 import com.alibaba.com.caucho.hessian.io.SerializerFactory;
 
 public class Hessian2SerializerFactory extends SerializerFactory {
+    private static final String WHITELIST = "dubbo.application.hessian2.whitelist";
+    private static final String ALLOW = "dubbo.application.hessian2.allow";
+    private static final String DENY = "dubbo.application.hessian2.deny";
+
+    public static final SerializerFactory SERIALIZER_FACTORY;
 
-    public static final SerializerFactory SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+    /**
+     * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
+     */
+    static {
+        SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+        String whiteList = ConfigurationUtils.getProperty(WHITELIST);
+        if ("true".equals(whiteList)) {
+            SERIALIZER_FACTORY.getClassFactory().setWhitelist(true);
+            String allowPattern = ConfigurationUtils.getProperty(ALLOW);
+            if (StringUtils.isNotEmpty(allowPattern)) {
+                SERIALIZER_FACTORY.getClassFactory().allow(allowPattern);
+            }
+        } else {
+            SERIALIZER_FACTORY.getClassFactory().setWhitelist(false);
+            String denyPattern = ConfigurationUtils.getProperty(DENY);
+            if (StringUtils.isNotEmpty(denyPattern)) {
+                SERIALIZER_FACTORY.getClassFactory().deny(denyPattern);
+            }
+        }
+    }
 
     private Hessian2SerializerFactory() {
     }