cvictory opened a new pull request, #16273:
URL: https://github.com/apache/dubbo/pull/16273
## Bug
- **Issue**: #16270
- **Symptom**: A generic invocation `Map` without a `class` key bypasses the
`Serializable` check in `PojoUtils.realize1`. A non-Serializable POJO is
silently instantiated via reflection even when
`dubbo.application.checkSerializable=true`.
- **Root cause**: `DefaultSerializeClassChecker.loadClass` — the only check
site — is gated behind `if (className instanceof String)`. When the `Map` has
no `class` key, `className` is `null`, the guard short-circuits, and
`newInstance(type)` runs without any Serializable validation. The target type
(already resolved from the method signature) is never checked.
| Call style | Serializable enforced? (before fix) |
|---|---|
| Strong-typed RPC | Yes |
| Generic call, Map **with** `class` key | Yes |
| Generic call, Map **without** `class` key | **No** ← fixed |
## Fix
**`DefaultSerializeClassChecker`** — add `checkClass(Class<?>)`:
Extracts the Serializable validation logic from `loadClass` into a dedicated
method that accepts an already-resolved `Class` object, avoiding a redundant
class-name lookup.
**`PojoUtils.realize1`** — add `else` branch after the `class`-key block:
```java
} else if (type != Object.class && !type.isInterface() &&
!Map.class.isAssignableFrom(type)) {
// type resolved from method signature — still must pass Serializable
check
DefaultSerializeClassChecker.getInstance().checkClass(type);
}
```
The guard excludes `Object`, interfaces, and `Map` subclasses — types that
are not POJO-instantiated on this code path and would cause false positives.
## Verification
- `PojoUtilsSerializableCheckTest` (new, 6 tests): covers happy/error/edge
paths including the exact regression case from the issue.
- `PojoUtilsTest` (existing, 44 tests): all pass — no regression.
```
Tests run: 6, Failures: 0, Errors: 0, Skipped: 0 ←
PojoUtilsSerializableCheckTest
Tests run: 44, Failures: 0, Errors: 0, Skipped: 0 ← PojoUtilsTest
(regression)
BUILD SUCCESS
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]