daguimu opened a new pull request, #16177: URL: https://github.com/apache/dubbo/pull/16177
## Problem `DefaultSerializeClassChecker` throws `IllegalArgumentException` even when `SerializeCheckStatus` is set to `WARN`. The WARN mode is intended to only log warnings without blocking deserialization, but three code paths still throw exceptions unconditionally. ## Root Cause Three places in `DefaultSerializeClassChecker` ignore the `checkStatus` when deciding to throw: 1. **`loadClass0()` disallow list check (case-sensitive, line 165)**: Logs a WARN-mode message but then unconditionally throws `IllegalArgumentException`. 2. **`loadClass0()` disallow list check (case-insensitive, line 186)**: Same issue — warns then throws. 3. **`loadClass()` Serializable interface check (line 118)**: Only checks the `checkSerializable` flag but ignores `checkStatus`. In WARN mode, non-Serializable classes should be warned about, not rejected. ## Fix - **`loadClass0()` disallow list checks**: In WARN mode, log a warning and return the loaded class via `classForName()` instead of throwing. The warning message is updated to say "will allow to deserialize" (matching the existing non-disallowed warning at line 198). - **`loadClass()` Serializable check**: Gate the exception on `checkStatus` — only throw in STRICT mode (when `checkSerializable` is also true). In WARN mode, downgrade from `logger.error` to `logger.warn`. In DISABLE mode, skip the check entirely. This makes `DefaultSerializeClassChecker` consistent with `Fastjson2SecurityManager`, which already handles WARN mode correctly by returning null instead of throwing. ## Tests Added | Change Point | Test | |---|---| | Disallow list in WARN mode no longer throws | `testDisallowedClassInWarnModeDoesNotThrow()` — loads `Runtime.class` (disallowed) in WARN mode, verifies no exception and class is in warnedClasses | | Disallow list in STRICT mode still throws | `testDisallowedClassInStrictModeThrows()` — confirms `Runtime.class` throws in STRICT mode (regression) | | Non-Serializable class in WARN mode | `testCommon()` — updated: `Socket.class` (disallowed, non-Serializable) now loads without exception in WARN mode | | Existing STRICT mode behavior preserved | `testStatus()`, `testBlockAll()`, `testAddBlock()` — all pass unchanged | ## Impact Only affects deserialization behavior when `checkStatus` is explicitly set to `WARN`. Default mode (`STRICT`) behavior is unchanged. Users who set WARN mode will now get the expected behavior: warnings are logged but deserialization proceeds. Fixes #15179 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
