(incubator-seata) branch 2.x updated: optimize: add Server deserialization validation (#6267)

Thu, 18 Jan 2024 01:01:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

xingfudeshi pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/incubator-seata.git


The following commit(s) were added to refs/heads/2.x by this push:
     new d577cfc147 optimize: add Server deserialization validation (#6267)
d577cfc147 is described below

commit d577cfc147f7d6615e458016671d7953816ed193
Author: jimin <[email protected]>
AuthorDate: Thu Jan 18 17:01:29 2024 +0800

    optimize: add Server deserialization validation (#6267)
---
 changes/en-us/2.x.md                               |  1 +
 changes/zh-cn/2.x.md                               |  1 +
 .../seata/core/rpc/netty/v1/ProtocolV1Decoder.java | 24 ++++++++++++++++------
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
index 62c5dead0f..2ba239935f 100644
--- a/changes/en-us/2.x.md
+++ b/changes/en-us/2.x.md
@@ -62,6 +62,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6259](https://github.com/apache/incubator-seata/pull/6259)] modify error 
message which is global session size more than config
 - [[#6264](https://github.com/apache/incubator-seata/pull/6264)] fix 
jib-maven-plugin build failed
 - [[#6246](https://github.com/apache/incubator-seata/pull/6246)] build the 
frontend at the same time as the maven build
+- [[#6267](https://github.com/apache/incubator-seata/pull/6267)] add Server 
deserialization validation
 
 ### security:
 - [[#6069](https://github.com/apache/incubator-seata/pull/6069)] Upgrade Guava 
dependencies to fix security vulnerabilities
diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
index 3384abfc92..594fda7b57 100644
--- a/changes/zh-cn/2.x.md
+++ b/changes/zh-cn/2.x.md
@@ -60,6 +60,7 @@
 - [[#6259](https://github.com/apache/incubator-seata/pull/6259)] 
修改全局会话大小超过配置的错误消息
 - [[#6264](https://github.com/apache/incubator-seata/pull/6264)] 修复 
jib-maven-plugin 编译失败问题
 - [[#6246](https://github.com/apache/incubator-seata/pull/6246)] 
在maven打包的同时打包前端资源
+- [[#6267](https://github.com/apache/incubator-seata/pull/6267)] 增加 Server 
反序列化校验
 
 ### security:
 - [[#6069](https://github.com/apache/incubator-seata/pull/6069)] 
升级Guava依赖版本,修复安全漏洞
diff --git 
a/core/src/main/java/io/seata/core/rpc/netty/v1/ProtocolV1Decoder.java 
b/core/src/main/java/io/seata/core/rpc/netty/v1/ProtocolV1Decoder.java
index 867e27d945..6f99a8d2ba 100644
--- a/core/src/main/java/io/seata/core/rpc/netty/v1/ProtocolV1Decoder.java
+++ b/core/src/main/java/io/seata/core/rpc/netty/v1/ProtocolV1Decoder.java
@@ -16,23 +16,26 @@
  */
 package io.seata.core.rpc.netty.v1;
 
+import java.util.Map;
+
 import io.netty.buffer.ByteBuf;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.seata.core.exception.DecodeException;
-import io.seata.core.serializer.Serializer;
+import io.seata.config.Configuration;
+import io.seata.config.ConfigurationFactory;
 import io.seata.core.compressor.Compressor;
 import io.seata.core.compressor.CompressorFactory;
+import io.seata.core.constants.ConfigurationKeys;
+import io.seata.core.exception.DecodeException;
 import io.seata.core.protocol.HeartbeatMessage;
 import io.seata.core.protocol.ProtocolConstants;
 import io.seata.core.protocol.RpcMessage;
+import io.seata.core.serializer.Serializer;
 import io.seata.core.serializer.SerializerServiceLoader;
 import io.seata.core.serializer.SerializerType;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.Map;
-
 /**
  * <pre>
  * 0     1     2     3     4     5     6     7     8     9    10     11    12  
  13    14    15    16
@@ -62,10 +65,14 @@ import java.util.Map;
 public class ProtocolV1Decoder extends LengthFieldBasedFrameDecoder {
 
     private static final Logger LOGGER = 
LoggerFactory.getLogger(ProtocolV1Decoder.class);
+    private static final Configuration CONFIG = 
ConfigurationFactory.getInstance();
+    private SerializerType serializerType;
 
     public ProtocolV1Decoder() {
         // default is 8M
         this(ProtocolConstants.MAX_FRAME_LENGTH);
+        String serializerName = 
CONFIG.getConfig(ConfigurationKeys.SERIALIZE_FOR_RPC, 
SerializerType.SEATA.name());
+        this.serializerType = SerializerType.getByName(serializerName);
     }
 
     public ProtocolV1Decoder(int maxFrameLength) {
@@ -142,8 +149,13 @@ public class ProtocolV1Decoder extends 
LengthFieldBasedFrameDecoder {
                 frame.readBytes(bs);
                 Compressor compressor = 
CompressorFactory.getCompressor(compressorType);
                 bs = compressor.decompress(bs);
-                Serializer serializer = 
SerializerServiceLoader.load(SerializerType.getByCode(rpcMessage.getCodec()));
-                rpcMessage.setBody(serializer.deserialize(bs));
+                SerializerType protocolType = 
SerializerType.getByCode(rpcMessage.getCodec());
+                if (this.serializerType.equals(protocolType)) {
+                    Serializer serializer = 
SerializerServiceLoader.load(protocolType);
+                    rpcMessage.setBody(serializer.deserialize(bs));
+                } else {
+                    throw new IllegalArgumentException("SerializerType not 
match");
+                }
             }
         }
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to