[dubbo] branch master updated: add code (#8537)

[albumenj]

This is an automated email from the ASF dual-hosted git repository.

albumenj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git


The following commit(s) were added to refs/heads/master by this push:
     new 4420118  add code (#8537)
4420118 is described below

commit 442011840a574f5494b96a858160d429d546a3bd
Author: Owen.Cai <89424...@qq.com>
AuthorDate: Mon Aug 23 13:20:29 2021 +0800

    add code (#8537)
---
 .../java/org/apache/dubbo/common/constants/CommonConstants.java   | 2 ++
 .../java/org/apache/dubbo/common/utils/SerializeClassChecker.java | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git 
a/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java
 
b/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java
index 403011d..dd4ede8 100644
--- 
a/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java
+++ 
b/dubbo-common/src/main/java/org/apache/dubbo/common/constants/CommonConstants.java
@@ -389,6 +389,8 @@ public interface CommonConstants {
 
     String DEFAULT_VERSION = "0.0.0";
 
+    String CLASS_DESERIALIZE_OPEN_CHECK = 
"dubbo.security.serialize.openCheckClass";
+
     String CLASS_DESERIALIZE_BLOCK_ALL = 
"dubbo.security.serialize.blockAllClassExceptAllow";
 
     String CLASS_DESERIALIZE_ALLOWED_LIST = 
"dubbo.security.serialize.allowedClassList";
diff --git 
a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java
 
b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java
index b75ae65..2693095 100644
--- 
a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java
+++ 
b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/SerializeClassChecker.java
@@ -32,6 +32,7 @@ public class SerializeClassChecker {
 
     private static volatile SerializeClassChecker INSTANCE = null;
 
+    private final boolean OPEN_CHECK_CLASS;
     private final boolean BLOCK_ALL_CLASS_EXCEPT_ALLOW;
     private final Set<String> CLASS_DESERIALIZE_ALLOWED_SET = new 
ConcurrentHashSet<>();
     private final Set<String> CLASS_DESERIALIZE_BLOCKED_SET = new 
ConcurrentHashSet<>();
@@ -43,6 +44,9 @@ public class SerializeClassChecker {
     private final AtomicLong counter = new AtomicLong(0);
 
     private SerializeClassChecker() {
+        String openCheckClass = 
System.getProperty(CommonConstants.CLASS_DESERIALIZE_OPEN_CHECK, "true");
+        OPEN_CHECK_CLASS = Boolean.parseBoolean(openCheckClass);
+
         String blockAllClassExceptAllow = 
System.getProperty(CommonConstants.CLASS_DESERIALIZE_BLOCK_ALL, "false");
         BLOCK_ALL_CLASS_EXCEPT_ALLOW = 
Boolean.parseBoolean(blockAllClassExceptAllow);
 
@@ -107,6 +111,10 @@ public class SerializeClassChecker {
      * @param name class name ( all are convert to lower case )
      */
     public void validateClass(String name) {
+        if(!OPEN_CHECK_CLASS){
+            return;
+        }
+
         name = name.toLowerCase(Locale.ROOT);
         if (CACHE == CLASS_ALLOW_LFU_CACHE.get(name)) {
             return;