Anshul-creator opened a new pull request, #15776:
URL: https://github.com/apache/dubbo/pull/15776
## What is the purpose of the change?
This PR stabilizes `XmlSafetyTest` by removing environment-dependent
flakiness in its process-inspection logic, while fully preserving the original
test intention of detecting unsafe external command execution during XML
deserialization.
## Root Cause
`XmlSafetyTest` verifies that calling `XmlCodec.decode(...)` does not spawn
external commands such as `sleep 60`.
However, the original validation logic had two issues:
1. It checked for `"sleep"` in the entire `ps -e` output *after* execution,
without using the `processesBefore` baseline captured in `prepare()`.
2. It monitored **all system processes**, meaning the test failed if any
unrelated `sleep` process was created by the OS, CI infrastructure, or other
tests running concurrently.
As a result, both `testSafe1` and `testSafe2` intermittently failed under
randomized execution orders (NonDex) and on shared machines, even when
`XmlCodec` did not spawn a process.
## Changes Made
Only the `ProcessChecker` implementation was modified:
- The current JVM PID is captured in `prepare()`.
- `getProcesses()` was updated to only record processes where:
- The **parent PID matches the JVM**, ensuring they are child processes,
and
- The command contains `"sleep"` **and** `"60"`, matching the attack
payload.
- The baseline comparison remains (`processesBefore` vs `processesAfter`),
ensuring the test still fails if XML deserialization launches a new `sleep 60`
process.
## Verification
You can try running the following snippet of code from the dubbo repo root,
on both pre-fix and post-fix code
```bash
./mvnw -pl dubbo-remoting/dubbo-remoting-http12 \
edu.illinois:nondex-maven-plugin:2.2.1:nondex \
-DnondexRuns=50 \
-Dtest=org.apache.dubbo.remoting.http12.message.codec.XmlSafetyTest
```
The test should fail intermittently on the pre-fix version, but pass
consistently across all seeds on the post-fix version.
NonDex run logs will be available under the
`dubbo-remoting/dubbo-remoting-http12/.nondex` directory.
## Checklist
- [x] Make sure there is a
[GitHub_issue](https://github.com/apache/dubbo/issues) field for the change.
- [x] Write a pull request description that is detailed enough to understand
what the pull request does, how, and why.
- [x] Write necessary unit-test to verify your logic correction. If the new
feature or significant change is committed, please remember to add sample in
[dubbo samples](https://github.com/apache/dubbo-samples) project.
- [x] Make sure gitHub actions can pass. [Why the workflow is failing and
how to fix it?](../CONTRIBUTING.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
