From 04ca8d66ae1aff3cd0f97196c732081020ee40fc Mon Sep 17 00:00:00 2001
From: Libing Chen <libing.chen@gmail.com>
Date: Sun, 17 Mar 2024 17:29:48 +0800
Subject: [PATCH] app(security): Hessian's serializer factory with black class
 list

---
 ...HessianSerializerFactoryWithBlackList.java | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 alibaba-rsocket-core/src/main/java/com/alibaba/rsocket/encoding/impl/HessianSerializerFactoryWithBlackList.java

diff --git a/alibaba-rsocket-core/src/main/java/com/alibaba/rsocket/encoding/impl/HessianSerializerFactoryWithBlackList.java b/alibaba-rsocket-core/src/main/java/com/alibaba/rsocket/encoding/impl/HessianSerializerFactoryWithBlackList.java
new file mode 100644
index 00000000..1fe8119d
--- /dev/null
+++ b/alibaba-rsocket-core/src/main/java/com/alibaba/rsocket/encoding/impl/HessianSerializerFactoryWithBlackList.java
@@ -0,0 +1,31 @@
+package com.alibaba.rsocket.encoding.impl;
+
+import com.alibaba.rsocket.observability.RsocketErrorCode;
+import com.caucho.hessian.io.Deserializer;
+import com.caucho.hessian.io.HessianProtocolException;
+import com.caucho.hessian.io.SerializerFactory;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Hessian's serializer factory with black class list
+ *
+ * @author linux_china
+ */
+public class HessianSerializerFactoryWithBlackList extends SerializerFactory {
+    public static final Set<String> BLACK_CLASSES = new HashSet<>();
+
+    static {
+        BLACK_CLASSES.add("org.springframework.context.support.ClassPathXmlApplicationContext");
+        BLACK_CLASSES.add("javax.swing.UIDefaults$ProxyLazyValue");
+    }
+
+    @Override
+    public Deserializer getObjectDeserializer(String type, Class cl) throws HessianProtocolException {
+        if (BLACK_CLASSES.contains(type)) {
+            throw new HessianProtocolException(RsocketErrorCode.message("RST-700401", type));
+        }
+        return super.getObjectDeserializer(type, cl);
+    }
+}