Deny in deserialize

apache · Aug 27, 2022 · 99d689c · 99d689c
1 parent dc16557
commit 99d689c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 6 deletions.
diff --git a/src/main/java/com/alibaba/com/caucho/hessian/io/SerializerFactory.java b/src/main/java/com/alibaba/com/caucho/hessian/io/SerializerFactory.java
@@ -343,6 +343,11 @@ public Serializer getSerializer(Class cl)
             serializer = factory.getSerializer(cl);
         }
 
+        if (!Serializable.class.isAssignableFrom(cl)
+                && !_isAllowNonSerializable) {
+            throw new IllegalStateException("Serialized class " + cl.getName() + " must implement java.io.Serializable");
+        }
+
         if (serializer != null) {
 
         } else if (isZoneId(cl)) //must before "else if (JavaSerializer.getWriteReplace(cl) != null)"
@@ -414,11 +419,6 @@ protected Serializer getDefaultSerializer(Class cl) {
         if (_defaultSerializer != null)
             return _defaultSerializer;
 
-        if (!Serializable.class.isAssignableFrom(cl)
-                && !_isAllowNonSerializable) {
-            throw new IllegalStateException("Serialized class " + cl.getName() + " must implement java.io.Serializable");
-        }
-
         return new JavaSerializer(cl, _loader);
     }
 
@@ -453,6 +453,11 @@ public Deserializer getDeserializer(Class cl)
             deserializer = factory.getDeserializer(cl);
         }
 
+        if (!Serializable.class.isAssignableFrom(cl)
+                && !_isAllowNonSerializable) {
+            throw new IllegalStateException("Serialized class " + cl.getName() + " must implement java.io.Serializable");
+        }
+
         if (deserializer != null) {
         } else if (Collection.class.isAssignableFrom(cl))
             deserializer = new CollectionDeserializer(cl);

diff --git a/src/test/java/com/alibaba/com/caucho/hessian/io/DenyListTest.java b/src/test/java/com/alibaba/com/caucho/hessian/io/DenyListTest.java
@@ -18,7 +18,6 @@
 
 import org.junit.Assert;
 import org.junit.Test;
-import sun.rmi.transport.StreamRemoteCall;
 
 import java.lang.reflect.Array;
 import java.util.HashMap;

diff --git a/src/test/java/com/alibaba/com/caucho/hessian/io/SerializerFactoryTest.java b/src/test/java/com/alibaba/com/caucho/hessian/io/SerializerFactoryTest.java
@@ -73,6 +73,29 @@ public void getDeserializer() throws Exception {
         Assert.assertTrue("several Deserializer!", d1 == d2);
     }
 
+    @Test
+    public void testCheckSerializable() throws HessianProtocolException {
+        final SerializerFactory serializerFactory = new SerializerFactory();
+        try {
+            serializerFactory.getSerializer(TestImpl.class);
+            Assert.fail();
+        } catch (RuntimeException e) {
+            Assert.assertEquals(IllegalStateException.class, e.getClass());
+            Assert.assertTrue(e.getMessage().equals("Serialized class com.alibaba.com.caucho.hessian.io.TestImpl must implement java.io.Serializable"));
+        }
+
+        try {
+            serializerFactory.getDeserializer(TestImpl.class);
+            Assert.fail();
+        } catch (RuntimeException e) {
+            Assert.assertEquals(IllegalStateException.class, e.getClass());
+            Assert.assertTrue(e.getMessage().startsWith("Serialized class com.alibaba.com.caucho.hessian.io.TestImpl must implement java.io.Serializable"));
+        }
+
+        Assert.assertNotNull(serializerFactory.getSerializer(TestClass.class));
+        Assert.assertNotNull(serializerFactory.getDeserializer(TestClass.class));
+    }
+
     @Test
     public void getDeserializerDuplicateThread() throws Exception {
         final SerializerFactory serializerFactory = new SerializerFactory();