From 11e728c084b591d0c11267e0729805eeeb59bd73 Mon Sep 17 00:00:00 2001
From: "ken.lj" <ken.lj.hz@gmail.com>
Date: Fri, 3 Jul 2020 16:53:51 +0800
Subject: [PATCH] Hessian2 whitelist (#6378)

fixes #6364
---
 dubbo-dependencies-bom/pom.xml                |  2 +-
 .../hessian2/Hessian2SerializerFactory.java   | 29 ++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/dubbo-dependencies-bom/pom.xml b/dubbo-dependencies-bom/pom.xml
index eae1bc812c8..c2426e27e70 100644
--- a/dubbo-dependencies-bom/pom.xml
+++ b/dubbo-dependencies-bom/pom.xml
@@ -152,7 +152,7 @@
         <activation_version>1.2.0</activation_version>
         <test_container_version>1.11.2</test_container_version>
         <etcd_launcher_version>0.3.0</etcd_launcher_version>
-        <hessian_lite_version>3.2.7</hessian_lite_version>
+        <hessian_lite_version>3.2.8</hessian_lite_version>
         <swagger_version>1.5.19</swagger_version>
         <spring_test_version>4.3.16.RELEASE</spring_test_version>
 
diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
index a5c5a9020ea..d0ff3a74e01 100644
--- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
+++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java
@@ -16,11 +16,38 @@
  */
 package org.apache.dubbo.common.serialize.hessian2;
 
+import org.apache.dubbo.common.config.ConfigurationUtils;
+import org.apache.dubbo.common.utils.StringUtils;
+
 import com.alibaba.com.caucho.hessian.io.SerializerFactory;
 
 public class Hessian2SerializerFactory extends SerializerFactory {
+    private static final String WHITELIST = "dubbo.application.hessian2.whitelist";
+    private static final String ALLOW = "dubbo.application.hessian2.allow";
+    private static final String DENY = "dubbo.application.hessian2.deny";
+
+    public static final SerializerFactory SERIALIZER_FACTORY;
 
-    public static final SerializerFactory SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+    /**
+     * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826
+     */
+    static {
+        SERIALIZER_FACTORY = new Hessian2SerializerFactory();
+        String whiteList = ConfigurationUtils.getProperty(WHITELIST);
+        if ("true".equals(whiteList)) {
+            SERIALIZER_FACTORY.getClassFactory().setWhitelist(true);
+            String allowPattern = ConfigurationUtils.getProperty(ALLOW);
+            if (StringUtils.isNotEmpty(allowPattern)) {
+                SERIALIZER_FACTORY.getClassFactory().allow(allowPattern);
+            }
+        } else {
+            SERIALIZER_FACTORY.getClassFactory().setWhitelist(false);
+            String denyPattern = ConfigurationUtils.getProperty(DENY);
+            if (StringUtils.isNotEmpty(denyPattern)) {
+                SERIALIZER_FACTORY.getClassFactory().deny(denyPattern);
+            }
+        }
+    }
 
     private Hessian2SerializerFactory() {
     }