[dubbo] branch 3.2 updated: Update log level for serialization check (#12903)

albumenj Tue, 15 Aug 2023 19:53:55 -0700

This is an automated email from the ASF dual-hosted git repository.

albumenj pushed a commit to branch 3.2
in repository https://gitbox.apache.org/repos/asf/dubbo.git



The following commit(s) were added to refs/heads/3.2 by this push:
     new 4dbd31ebb1 Update log level for serialization check (#12903)
4dbd31ebb1 is described below

commit 4dbd31ebb1b0d589b0d55eeadb1062889de9e311
Author: Albumen Kevin <[email protected]>
AuthorDate: Wed Aug 16 10:53:43 2023 +0800

    Update log level for serialization check (#12903)
---
 .../org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java | 6 +++---
 .../dubbo/common/serialize/fastjson2/Fastjson2SecurityManager.java  | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git 
a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java
 
b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java
index 093cad8a96..9c863d717e 100644
--- 
a/dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java
+++ 
b/dubbo-common/src/main/java/org/apache/dubbo/common/utils/DefaultSerializeClassChecker.java
@@ -159,7 +159,7 @@ public class DefaultSerializeClassChecker implements 
AllowClassNotifyListener {
                     "Current mode is `WARN`, will disallow to deserialize it 
by default. " +
                     "Please add it into security/serialize.allowlist or follow 
FAQ to configure it.";
                 if 
(serializeSecurityManager.getWarnedClasses().add(className)) {
-                    logger.error(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "", 
msg);
+                    logger.warn(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "", 
msg);
                 }
 
                 throw new IllegalArgumentException(msg);
@@ -180,7 +180,7 @@ public class DefaultSerializeClassChecker implements 
AllowClassNotifyListener {
                     "Current mode is `WARN`, will disallow to deserialize it 
by default. " +
                     "Please add it into security/serialize.allowlist or follow 
FAQ to configure it.";
                 if 
(serializeSecurityManager.getWarnedClasses().add(className)) {
-                    logger.error(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "", 
msg);
+                    logger.warn(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "", 
msg);
                 }
 
                 throw new IllegalArgumentException(msg);
@@ -189,7 +189,7 @@ public class DefaultSerializeClassChecker implements 
AllowClassNotifyListener {
 
         Class<?> clazz = ClassUtils.forName(className, classLoader);
         if (serializeSecurityManager.getWarnedClasses().add(className)) {
-            logger.error(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "",
+            logger.warn(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "",
                 "[Serialization Security] Serialized class " + className + " 
is not in allow list. " +
                     "Current mode is `WARN`, will allow to deserialize it by 
default. " +
                     "Dubbo will set to `STRICT` mode by default in the future. 
" +
diff --git 
a/dubbo-serialization/dubbo-serialization-fastjson2/src/main/java/org/apache/dubbo/common/serialize/fastjson2/Fastjson2SecurityManager.java
 
b/dubbo-serialization/dubbo-serialization-fastjson2/src/main/java/org/apache/dubbo/common/serialize/fastjson2/Fastjson2SecurityManager.java
index 158966309e..1c1258af55 100644
--- 
a/dubbo-serialization/dubbo-serialization-fastjson2/src/main/java/org/apache/dubbo/common/serialize/fastjson2/Fastjson2SecurityManager.java
+++ 
b/dubbo-serialization/dubbo-serialization-fastjson2/src/main/java/org/apache/dubbo/common/serialize/fastjson2/Fastjson2SecurityManager.java
@@ -122,7 +122,7 @@ public class Fastjson2SecurityManager implements 
AllowClassNotifyListener {
             Class<?> localClass = loadClassDirectly(typeName);
             if (localClass != null) {
                 if (status == SerializeCheckStatus.WARN && 
serializeSecurityManager.getWarnedClasses().add(typeName)) {
-                    logger.error(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "",
+                    logger.warn(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "",
                         "[Serialization Security] Serialized class " + 
localClass.getName() + " is not in allow list. " +
                             "Current mode is `WARN`, will allow to deserialize 
it by default. " +
                             "Dubbo will set to `STRICT` mode by default in the 
future. " +
@@ -152,7 +152,7 @@ public class Fastjson2SecurityManager implements 
AllowClassNotifyListener {
                     "Current mode is `WARN`, will disallow to deserialize it 
by default. " +
                     "Please add it into security/serialize.allowlist or follow 
FAQ to configure it.";
                 if (serializeSecurityManager.getWarnedClasses().add(typeName)) 
{
-                    logger.error(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "", 
msg);
+                    logger.warn(PROTOCOL_UNTRUSTED_SERIALIZE_CLASS, "", "", 
msg);
                 }
             }

[dubbo] branch 3.2 updated: Update log level for serialization check (#12903)

Reply via email to