uschindler commented on code in PR #15237:
URL: https://github.com/apache/lucene/pull/15237#discussion_r2384204860
##########
lucene/test-framework/src/java/org/apache/lucene/tests/util/LuceneTestCase.java:
##########
@@ -498,6 +499,14 @@ static int defaultRandomMultiplier() {
LEAVE_TEMPORARY = defaultValue;
}
+ /* Make sure we do not allow Java serialization without custom filters
anywhere while running tests.
+ * We could have activated that already in the test runner Gradle plugin,
but Gradle itsself uses
+ * unfiltered serialization on startup.
+ */
+ static {
+ ObjectInputFilter.Config.setSerialFilter(_ ->
ObjectInputFilter.Status.REJECTED);
Review Comment:
Hi, I implemented a better way to check this without breaking downstream
users by applying a global filter.
I added code to install a filter factory into the test runner JVM from
Gradle. The installed filter allows all Gradle-internal deserialization in a
similar way like `TestSecurityManager` allowed `System.exit()` by test runner.
It checks stack trace for correct class up in stack.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
