optimize: optimize deserialization efficiency (apache#7049)

psxjoy · Dec 5, 2024 · 7eda23e · 7eda23e
1 parent c95bd08
commit 7eda23e
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 12 deletions.
diff --git a/server/src/main/java/org/apache/seata/server/cluster/raft/serializer/CustomDeserializer.java b/server/src/main/java/org/apache/seata/server/cluster/raft/serializer/CustomDeserializer.java
@@ -20,25 +20,33 @@
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.databind.DeserializationContext;
 import com.fasterxml.jackson.databind.JsonDeserializer;
+import org.apache.seata.common.exception.ErrorCode;
+import org.apache.seata.common.exception.SeataRuntimeException;
 
 public class CustomDeserializer extends JsonDeserializer<Class<?>> {
 
     String oldPackage = "io.seata.server";
 
     String currentPackage = "org.apache.seata.server";
 
+    String permitPackage = "org.apache.seata";
+
     @Override
     public Class<?> deserialize(JsonParser jsonParser, DeserializationContext deserializationContext)
         throws IOException {
         String className = jsonParser.getValueAsString();
         if (className.startsWith(oldPackage)) {
             className = className.replaceFirst(oldPackage, currentPackage);
         }
-        try {
-            return Class.forName(className);
-        } catch (ClassNotFoundException e) {
-            throw new RuntimeException(e.getMessage(), e);
+        if (className.startsWith(permitPackage)) {
+            try {
+                return Class.forName(className);
+            } catch (ClassNotFoundException e) {
+                throw new RuntimeException(e.getMessage(), e);
+            }
         }
+        throw new SeataRuntimeException(ErrorCode.ERR_DESERIALIZATION_SECURITY,
+            "Failed to deserialize object: " + className + " is not permitted");
     }
 
 }
diff --git a/...r/src/main/java/org/apache/seata/server/cluster/raft/snapshot/RaftSnapshotSerializer.java b/...r/src/main/java/org/apache/seata/server/cluster/raft/snapshot/RaftSnapshotSerializer.java
@@ -26,6 +26,7 @@
 import java.util.List;
 import java.util.Optional;
 
+import com.fasterxml.jackson.databind.JsonMappingException;
 import org.apache.seata.common.exception.ErrorCode;
 import org.apache.seata.common.exception.SeataRuntimeException;
 import org.slf4j.Logger;
@@ -108,11 +109,18 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas
                             .getCompressor(raftSnapshot.getCompressor()).decompress((byte[])raftSnapshot.getBody()))));
             return raftSnapshot;
         } catch (Exception e) {
-            LOGGER.info("Failed to read raft snapshot: {}", e.getMessage(), e);
-            if (e instanceof SeataRuntimeException) {
-                throw (SeataRuntimeException)e;
+            LOGGER.error("Failed to read raft snapshot: {}", e.getMessage(), e);
+            if (e instanceof RuntimeException) {
+                Throwable cause = e.getCause();
+                if (cause instanceof JsonMappingException) {
+                    Throwable jsonCause = cause.getCause();
+                    if (jsonCause instanceof SeataRuntimeException) {
+                        throw (SeataRuntimeException)jsonCause;
+                    }
+                }
+                throw (RuntimeException)e;
             }
-            throw new IOException(e);
+            throw new RuntimeException(e);
         }
     }
 

diff --git a/...er/src/main/java/org/apache/seata/server/cluster/raft/sync/RaftSyncMessageSerializer.java b/...er/src/main/java/org/apache/seata/server/cluster/raft/sync/RaftSyncMessageSerializer.java
@@ -25,6 +25,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
+import com.fasterxml.jackson.databind.JsonMappingException;
 import org.apache.seata.common.exception.ErrorCode;
 import org.apache.seata.common.exception.SeataRuntimeException;
 import org.apache.seata.common.loader.EnhancedServiceLoader;
@@ -82,7 +83,6 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas
                         throw new SeataRuntimeException(ErrorCode.ERR_DESERIALIZATION_SECURITY,
                             "Failed to deserialize object: " + desc.getName() + " is not permitted");
                     }
-
                     return super.resolveClass(desc);
                 }
             }) {
@@ -106,9 +106,16 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, Clas
                     .getCompressor(raftSyncMessage.getCompressor()).decompress((byte[])raftSyncMessage.getBody()))));
             return raftSyncMessage;
         } catch (Exception e) {
-            LOGGER.info("Failed to read raft synchronization log: {}", e.getMessage(), e);
-            if (e instanceof SeataRuntimeException) {
-                throw (SeataRuntimeException)e;
+            LOGGER.error("Failed to read raft synchronization log: {}", e.getMessage(), e);
+            if (e instanceof RuntimeException) {
+                Throwable cause = e.getCause();
+                if (cause instanceof JsonMappingException) {
+                    Throwable jsonCause = cause.getCause();
+                    if (jsonCause instanceof SeataRuntimeException) {
+                        throw (SeataRuntimeException)jsonCause;
+                    }
+                }
+                throw (RuntimeException)e;
             }
             throw new RuntimeException(e);
         }

diff --git a/server/src/test/java/org/apache/seata/server/raft/RaftSyncMessageTest.java b/server/src/test/java/org/apache/seata/server/raft/RaftSyncMessageTest.java
@@ -20,6 +20,7 @@
 import java.io.IOException;
 import java.io.ObjectOutputStream;
 import java.util.ArrayList;
+import java.util.Base64;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -78,6 +79,33 @@ public void testSecurityMsgSerialize() throws IOException {
         Assertions.assertThrows(SeataRuntimeException.class,()->RaftSyncMessageSerializer.decode(bytes));
     }
 
+    @Test
+    public void testSecurityMsgAndSnapshotSerialize() throws IOException {
+        String jndiUrl = "oracle://127.0.0.1:1234/test";
+        String basePayload = "{\"dataSourceName\":\"" + jndiUrl + "\",\"command\":\"123\"}";
+        String payload = "{\"obj\":\"" + Base64.getEncoder().encodeToString(basePayload.getBytes())
+            + "\",\"clz\":\"dm.jdbc.driver.DmdbJdbcRowSet\"}";
+        byte[] payloadBytes = payload.getBytes();
+        byte[] bytes;
+        RaftSyncMessage raftSyncMessage = new RaftSyncMessage();
+        raftSyncMessage.setBody(payloadBytes);
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+            ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+            oos.writeObject(raftSyncMessage);
+            bytes = bos.toByteArray();
+        }
+        Assertions.assertThrows(SeataRuntimeException.class,()->RaftSyncMessageSerializer.decode(bytes));
+        RaftSnapshot raftSnapshot = new RaftSnapshot();
+        raftSnapshot.setBody(payloadBytes);
+        byte[] snapshotBytes;
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+            ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+            oos.writeObject(raftSnapshot);
+            snapshotBytes = bos.toByteArray();
+        }
+        Assertions.assertThrows(SeataRuntimeException.class,()->RaftSnapshotSerializer.decode(snapshotBytes));
+    }
+
     @Test
     public void testMsgSerialize() throws IOException {
         RaftSyncMessage raftSyncMessage = new RaftSyncMessage();