Option 2, which only allows classes on interface signatures, is likely the
better choice, as it greatly reduces the risk of security vulnerabilities
associated with deserialization. Ease of use also matters though, maybe there
are security measures like, I don't know, class validation that could be
implemented that would reduce the potential problems, but of course it would
affect performance.
середа, 12 квітня 2023 р. о 05:53:55 GMT+3, earthchen
<earthchen2...@gmail.com> написав:
I think it is better to use the interface signature, but the problem now is
that the experience for old dubbo users is destructive.
Thanks,
EarthChen
Albumen Kevin <album...@apache.org> 于2023年4月12日周三 10:30写道:
> Hi Dubbo community,
>
> The current serialization method used by Dubbo allows for
> deserialization of any class by default (except for those in the
> blacklist). However, we must consider whether to continue allowing
> deserialization of any class or restrict it to only classes on
> interface signatures.
>
> Option 1: Allow deserialization of any class Benefits: This approach
> provides high ease of use for Dubbo, and users do not need to consider
> how to define parameters. Disadvantages: Due to the class mechanism
> under the Java system, this approach presents certain difficulties
> that can lead to remote command execution (RCE) and security risks.
>
> Option 2: Only allow classes on interface signatures Benefits: This
> approach can limit most security risks. Disadvantages: Java's generics
> and parent-child class transfers are severely restricted, and users
> must define specific interfaces like IDL.
>
> None of the following scenarios can be used:
> ```java
> package com.example.dubbo;
>
> public interface BaseResult {
>
> }
>
> public class User implements BaseResult {
> public String name;
> }
>
> public interface DemoService {
> BaseResult getUser();
> Object getObject();
> }
>
> public class DemoServiceImpl implements DemoService {
> public BaseResult listUser() {
> // cast from User to BaseResult
> return new User();
> }
>
> public Object getObject() {
> // cast from User to Object
> return new User();
> }
> }
> ```
>
> ```java
> package com.example.dubbo;
>
> public class User {
> public String name;
> }
>
> public class TestException extends RuntimeException {
> }
>
> public interface DemoService {
> User getUser();
> }
>
> public class DemoServiceImpl implements DemoService {
> public User listUser() {
> throw new TestException();
> }
> }
> ```
>
> Please reply below this email to let us know how to proceed.
>
> Thanks,
> Albumen Kevin
>
