optimize: add Server deserialization validation (#6267)

changes/en-us/2.x.md

@@ -62,6 +62,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6259](https://github.com/apache/incubator-seata/pull/6259)] modify error message which is global session size more than config
 - [[#6264](https://github.com/apache/incubator-seata/pull/6264)] fix jib-maven-plugin build failed
 - [[#6246](https://github.com/apache/incubator-seata/pull/6246)] build the frontend at the same time as the maven build
+- [[#6267](https://github.com/apache/incubator-seata/pull/6267)] add Server deserialization validation
 
 ### security:
 - [[#6069](https://github.com/apache/incubator-seata/pull/6069)] Upgrade Guava dependencies to fix security vulnerabilities

changes/zh-cn/2.x.md

@@ -60,6 +60,7 @@
 - [[#6259](https://github.com/apache/incubator-seata/pull/6259)] 修改全局会话大小超过配置的错误消息
 - [[#6264](https://github.com/apache/incubator-seata/pull/6264)] 修复 jib-maven-plugin 编译失败问题
 - [[#6246](https://github.com/apache/incubator-seata/pull/6246)] 在maven打包的同时打包前端资源
+- [[#6267](https://github.com/apache/incubator-seata/pull/6267)] 增加 Server 反序列化校验
 
 ### security:
 - [[#6069](https://github.com/apache/incubator-seata/pull/6069)] 升级Guava依赖版本，修复安全漏洞

core/src/main/java/io/seata/core/rpc/netty/v1/ProtocolV1Decoder.java

@@ -16,23 +16,26 @@
  */
 package io.seata.core.rpc.netty.v1;
 
+import java.util.Map;
+
 import io.netty.buffer.ByteBuf;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.seata.core.exception.DecodeException;
-import io.seata.core.serializer.Serializer;
+import io.seata.config.Configuration;
+import io.seata.config.ConfigurationFactory;
 import io.seata.core.compressor.Compressor;
 import io.seata.core.compressor.CompressorFactory;
+import io.seata.core.constants.ConfigurationKeys;
+import io.seata.core.exception.DecodeException;
 import io.seata.core.protocol.HeartbeatMessage;
 import io.seata.core.protocol.ProtocolConstants;
 import io.seata.core.protocol.RpcMessage;
+import io.seata.core.serializer.Serializer;
 import io.seata.core.serializer.SerializerServiceLoader;
 import io.seata.core.serializer.SerializerType;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.util.Map;
-
 /**
  * <pre>
  * 0     1     2     3     4     5     6     7     8     9    10     11    12    13    14    15    16
@@ -62,10 +65,14 @@
 public class ProtocolV1Decoder extends LengthFieldBasedFrameDecoder {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ProtocolV1Decoder.class);
+    private static final Configuration CONFIG = ConfigurationFactory.getInstance();
+    private SerializerType serializerType;
 
     public ProtocolV1Decoder() {
         // default is 8M
         this(ProtocolConstants.MAX_FRAME_LENGTH);
+        String serializerName = CONFIG.getConfig(ConfigurationKeys.SERIALIZE_FOR_RPC, SerializerType.SEATA.name());
+        this.serializerType = SerializerType.getByName(serializerName);
     }
 
     public ProtocolV1Decoder(int maxFrameLength) {
@@ -142,8 +149,13 @@ public Object decodeFrame(ByteBuf frame) {
                 frame.readBytes(bs);
                 Compressor compressor = CompressorFactory.getCompressor(compressorType);
                 bs = compressor.decompress(bs);
-                Serializer serializer = SerializerServiceLoader.load(SerializerType.getByCode(rpcMessage.getCodec()));
-                rpcMessage.setBody(serializer.deserialize(bs));
+                SerializerType protocolType = SerializerType.getByCode(rpcMessage.getCodec());
+                if (this.serializerType.equals(protocolType)) {
+                    Serializer serializer = SerializerServiceLoader.load(protocolType);
+                    rpcMessage.setBody(serializer.deserialize(bs));
+                } else {
+                    throw new IllegalArgumentException("SerializerType not match");
+                }
             }
         }