From 11e728c084b591d0c11267e0729805eeeb59bd73 Mon Sep 17 00:00:00 2001 From: "ken.lj" Date: Fri, 3 Jul 2020 16:53:51 +0800 Subject: [PATCH 1/4] Hessian2 whitelist (#6378) fixes #6364 --- dubbo-dependencies-bom/pom.xml | 2 +- .../hessian2/Hessian2SerializerFactory.java | 29 ++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/dubbo-dependencies-bom/pom.xml b/dubbo-dependencies-bom/pom.xml index eae1bc812c8..c2426e27e70 100644 --- a/dubbo-dependencies-bom/pom.xml +++ b/dubbo-dependencies-bom/pom.xml @@ -152,7 +152,7 @@ 1.2.0 1.11.2 0.3.0 - 3.2.7 + 3.2.8 1.5.19 4.3.16.RELEASE diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java index a5c5a9020ea..d0ff3a74e01 100644 --- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java @@ -16,11 +16,38 @@ */ package org.apache.dubbo.common.serialize.hessian2; +import org.apache.dubbo.common.config.ConfigurationUtils; +import org.apache.dubbo.common.utils.StringUtils; + import com.alibaba.com.caucho.hessian.io.SerializerFactory; public class Hessian2SerializerFactory extends SerializerFactory { + private static final String WHITELIST = "dubbo.application.hessian2.whitelist"; + private static final String ALLOW = "dubbo.application.hessian2.allow"; + private static final String DENY = "dubbo.application.hessian2.deny"; + + public static final SerializerFactory SERIALIZER_FACTORY; - public static final SerializerFactory SERIALIZER_FACTORY = new Hessian2SerializerFactory(); + /** + * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826 + */ + static { + SERIALIZER_FACTORY = new Hessian2SerializerFactory(); + String whiteList = ConfigurationUtils.getProperty(WHITELIST); + if ("true".equals(whiteList)) { + SERIALIZER_FACTORY.getClassFactory().setWhitelist(true); + String allowPattern = ConfigurationUtils.getProperty(ALLOW); + if (StringUtils.isNotEmpty(allowPattern)) { + SERIALIZER_FACTORY.getClassFactory().allow(allowPattern); + } + } else { + SERIALIZER_FACTORY.getClassFactory().setWhitelist(false); + String denyPattern = ConfigurationUtils.getProperty(DENY); + if (StringUtils.isNotEmpty(denyPattern)) { + SERIALIZER_FACTORY.getClassFactory().deny(denyPattern); + } + } + } private Hessian2SerializerFactory() { } From 9d5e8b39bf570bae4e4cf588f2ba3c9a5b7841c9 Mon Sep 17 00:00:00 2001 From: "ken.lj" Date: Tue, 7 Jul 2020 13:34:54 +0800 Subject: [PATCH 2/4] Hessian whitelist2 (#6423) --- .../hessian2/Hessian2ObjectInput.java | 3 +- .../hessian2/Hessian2ObjectOutput.java | 3 +- .../hessian2/Hessian2SerializerFactory.java | 31 +----------- .../AbstractHessian2FactoryInitializer.java | 36 +++++++++++++ .../DefaultHessian2FactoryInitializer.java | 28 +++++++++++ .../dubbo/Hessian2FactoryInitializer.java | 43 ++++++++++++++++ .../WhitelistHessian2FactoryInitializer.java | 50 +++++++++++++++++++ ....hessian2.dubbo.Hessian2FactoryInitializer | 2 + 8 files changed, 164 insertions(+), 32 deletions(-) create mode 100644 dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/AbstractHessian2FactoryInitializer.java create mode 100644 dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/DefaultHessian2FactoryInitializer.java create mode 100644 dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/Hessian2FactoryInitializer.java create mode 100644 dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/WhitelistHessian2FactoryInitializer.java create mode 100644 dubbo-serialization/dubbo-serialization-hessian2/src/main/resources/META-INF/dubbo/internal/org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectInput.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectInput.java index d38b5c0cec2..23a77835e9c 100644 --- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectInput.java +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectInput.java @@ -17,6 +17,7 @@ package org.apache.dubbo.common.serialize.hessian2; import org.apache.dubbo.common.serialize.ObjectInput; +import org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer; import com.alibaba.com.caucho.hessian.io.Hessian2Input; @@ -31,7 +32,7 @@ public class Hessian2ObjectInput implements ObjectInput { private static ThreadLocal INPUT_TL = ThreadLocal.withInitial(() -> { Hessian2Input h2i = new Hessian2Input(null); - h2i.setSerializerFactory(Hessian2SerializerFactory.SERIALIZER_FACTORY); + h2i.setSerializerFactory(Hessian2FactoryInitializer.getInstance().getSerializerFactory()); h2i.setCloseStreamOnClose(true); return h2i; }); diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectOutput.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectOutput.java index a878593ea1e..9844415bbdf 100644 --- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectOutput.java +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2ObjectOutput.java @@ -17,6 +17,7 @@ package org.apache.dubbo.common.serialize.hessian2; import org.apache.dubbo.common.serialize.ObjectOutput; +import org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer; import com.alibaba.com.caucho.hessian.io.Hessian2Output; @@ -30,7 +31,7 @@ public class Hessian2ObjectOutput implements ObjectOutput { private static ThreadLocal OUTPUT_TL = ThreadLocal.withInitial(() -> { Hessian2Output h2o = new Hessian2Output(null); - h2o.setSerializerFactory(Hessian2SerializerFactory.SERIALIZER_FACTORY); + h2o.setSerializerFactory(Hessian2FactoryInitializer.getInstance().getSerializerFactory()); h2o.setCloseStreamOnClose(true); return h2o; }); diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java index d0ff3a74e01..6a8db878977 100644 --- a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/Hessian2SerializerFactory.java @@ -16,40 +16,11 @@ */ package org.apache.dubbo.common.serialize.hessian2; -import org.apache.dubbo.common.config.ConfigurationUtils; -import org.apache.dubbo.common.utils.StringUtils; - import com.alibaba.com.caucho.hessian.io.SerializerFactory; public class Hessian2SerializerFactory extends SerializerFactory { - private static final String WHITELIST = "dubbo.application.hessian2.whitelist"; - private static final String ALLOW = "dubbo.application.hessian2.allow"; - private static final String DENY = "dubbo.application.hessian2.deny"; - - public static final SerializerFactory SERIALIZER_FACTORY; - - /** - * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826 - */ - static { - SERIALIZER_FACTORY = new Hessian2SerializerFactory(); - String whiteList = ConfigurationUtils.getProperty(WHITELIST); - if ("true".equals(whiteList)) { - SERIALIZER_FACTORY.getClassFactory().setWhitelist(true); - String allowPattern = ConfigurationUtils.getProperty(ALLOW); - if (StringUtils.isNotEmpty(allowPattern)) { - SERIALIZER_FACTORY.getClassFactory().allow(allowPattern); - } - } else { - SERIALIZER_FACTORY.getClassFactory().setWhitelist(false); - String denyPattern = ConfigurationUtils.getProperty(DENY); - if (StringUtils.isNotEmpty(denyPattern)) { - SERIALIZER_FACTORY.getClassFactory().deny(denyPattern); - } - } - } - private Hessian2SerializerFactory() { + public Hessian2SerializerFactory() { } @Override diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/AbstractHessian2FactoryInitializer.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/AbstractHessian2FactoryInitializer.java new file mode 100644 index 00000000000..41c94955950 --- /dev/null +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/AbstractHessian2FactoryInitializer.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.common.serialize.hessian2.dubbo; + +import com.alibaba.com.caucho.hessian.io.SerializerFactory; + +public abstract class AbstractHessian2FactoryInitializer implements Hessian2FactoryInitializer { + private static SerializerFactory SERIALIZER_FACTORY; + + @Override + public SerializerFactory getSerializerFactory() { + if (SERIALIZER_FACTORY != null) { + return SERIALIZER_FACTORY; + } + synchronized (this) { + SERIALIZER_FACTORY = createSerializerFactory(); + } + return SERIALIZER_FACTORY; + } + + protected abstract SerializerFactory createSerializerFactory(); +} diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/DefaultHessian2FactoryInitializer.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/DefaultHessian2FactoryInitializer.java new file mode 100644 index 00000000000..042889ef453 --- /dev/null +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/DefaultHessian2FactoryInitializer.java @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.common.serialize.hessian2.dubbo; + +import org.apache.dubbo.common.serialize.hessian2.Hessian2SerializerFactory; + +import com.alibaba.com.caucho.hessian.io.SerializerFactory; + +public class DefaultHessian2FactoryInitializer extends AbstractHessian2FactoryInitializer { + @Override + protected SerializerFactory createSerializerFactory() { + return new Hessian2SerializerFactory(); + } +} diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/Hessian2FactoryInitializer.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/Hessian2FactoryInitializer.java new file mode 100644 index 00000000000..16576ec7106 --- /dev/null +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/Hessian2FactoryInitializer.java @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.common.serialize.hessian2.dubbo; + +import org.apache.dubbo.common.config.ConfigurationUtils; +import org.apache.dubbo.common.extension.ExtensionLoader; +import org.apache.dubbo.common.extension.SPI; +import org.apache.dubbo.common.utils.StringUtils; + +import com.alibaba.com.caucho.hessian.io.SerializerFactory; + +@SPI("default") +public interface Hessian2FactoryInitializer { + String WHITELIST = "dubbo.application.hessian2.whitelist"; + String ALLOW = "dubbo.application.hessian2.allow"; + String DENY = "dubbo.application.hessian2.deny"; + ExtensionLoader loader = ExtensionLoader.getExtensionLoader(Hessian2FactoryInitializer.class); + + SerializerFactory getSerializerFactory(); + + static Hessian2FactoryInitializer getInstance() { + String whitelist = ConfigurationUtils.getProperty(WHITELIST); + if (StringUtils.isNotEmpty(whitelist)) { + return loader.getExtension("whitelist"); + } + return loader.getDefaultExtension(); + } + +} diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/WhitelistHessian2FactoryInitializer.java b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/WhitelistHessian2FactoryInitializer.java new file mode 100644 index 00000000000..c2fe65e119c --- /dev/null +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/java/org/apache/dubbo/common/serialize/hessian2/dubbo/WhitelistHessian2FactoryInitializer.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.dubbo.common.serialize.hessian2.dubbo; + +import org.apache.dubbo.common.config.ConfigurationUtils; +import org.apache.dubbo.common.serialize.hessian2.Hessian2SerializerFactory; +import org.apache.dubbo.common.utils.StringUtils; + +import com.alibaba.com.caucho.hessian.io.SerializerFactory; + +/** + * see https://github.com/ebourg/hessian/commit/cf851f5131707891e723f7f6a9718c2461aed826 + */ +public class WhitelistHessian2FactoryInitializer extends AbstractHessian2FactoryInitializer { + + @Override + public SerializerFactory createSerializerFactory() { + SerializerFactory serializerFactory = new Hessian2SerializerFactory(); + String whiteList = ConfigurationUtils.getProperty(WHITELIST); + if ("true".equals(whiteList)) { + serializerFactory.getClassFactory().setWhitelist(true); + String allowPattern = ConfigurationUtils.getProperty(ALLOW); + if (StringUtils.isNotEmpty(allowPattern)) { + serializerFactory.getClassFactory().allow(allowPattern); + } + } else { + serializerFactory.getClassFactory().setWhitelist(false); + String denyPattern = ConfigurationUtils.getProperty(DENY); + if (StringUtils.isNotEmpty(denyPattern)) { + serializerFactory.getClassFactory().deny(denyPattern); + } + } + return serializerFactory; + } + +} diff --git a/dubbo-serialization/dubbo-serialization-hessian2/src/main/resources/META-INF/dubbo/internal/org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer b/dubbo-serialization/dubbo-serialization-hessian2/src/main/resources/META-INF/dubbo/internal/org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer new file mode 100644 index 00000000000..460972e240d --- /dev/null +++ b/dubbo-serialization/dubbo-serialization-hessian2/src/main/resources/META-INF/dubbo/internal/org.apache.dubbo.common.serialize.hessian2.dubbo.Hessian2FactoryInitializer @@ -0,0 +1,2 @@ +default=org.apache.dubbo.common.serialize.hessian2.dubbo.DefaultHessian2FactoryInitializer +whitelist=org.apache.dubbo.common.serialize.hessian2.dubbo.WhitelistHessian2FactoryInitializer \ No newline at end of file From feb679b176e7f7f1889bb91d0fc266f1d2dab89a Mon Sep 17 00:00:00 2001 From: diguage Date: Tue, 7 Jul 2020 22:54:12 +0800 Subject: [PATCH 3/4] double check lock (#6422) --- .../apache/dubbo/config/bootstrap/DubboBootstrap.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/bootstrap/DubboBootstrap.java b/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/bootstrap/DubboBootstrap.java index 10dd4f209f7..4af2dbcee6d 100644 --- a/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/bootstrap/DubboBootstrap.java +++ b/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/bootstrap/DubboBootstrap.java @@ -127,7 +127,7 @@ public class DubboBootstrap extends GenericEventListener { private final Logger logger = LoggerFactory.getLogger(getClass()); - private static DubboBootstrap instance; + private static volatile DubboBootstrap instance; private final AtomicBoolean awaited = new AtomicBoolean(false); @@ -176,9 +176,13 @@ public class DubboBootstrap extends GenericEventListener { /** * See {@link ApplicationModel} and {@link ExtensionLoader} for why DubboBootstrap is designed to be singleton. */ - public static synchronized DubboBootstrap getInstance() { + public static DubboBootstrap getInstance() { if (instance == null) { - instance = new DubboBootstrap(); + synchronized (DubboBootstrap.class) { + if (instance == null) { + instance = new DubboBootstrap(); + } + } } return instance; } From 51c0ea87eedcbba7d30ff6fc91a3dc0df31d9d17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9C=88=E6=B3=89?= Date: Tue, 7 Jul 2020 22:57:56 +0800 Subject: [PATCH 4/4] Correction: comments about multipleConfig (#6414) --- .../dubbo/config/spring/context/annotation/EnableDubbo.java | 2 +- .../config/spring/context/annotation/EnableDubboConfig.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubbo.java b/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubbo.java index 706e288597e..5e3ef54cac4 100644 --- a/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubbo.java +++ b/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubbo.java @@ -72,7 +72,7 @@ /** * It indicates whether {@link AbstractConfig} binding to multiple Spring Beans. * - * @return the default value is false + * @return the default value is true * @see EnableDubboConfig#multiple() */ @AliasFor(annotation = EnableDubboConfig.class, attribute = "multiple") diff --git a/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubboConfig.java b/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubboConfig.java index 314f2e93d6b..1ec03e78bc3 100644 --- a/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubboConfig.java +++ b/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/context/annotation/EnableDubboConfig.java @@ -72,7 +72,7 @@ /** * It indicates whether binding to multiple Spring Beans. * - * @return the default value is false + * @return the default value is true * @revised 2.5.9 */ boolean multiple() default true;