Fix serializable check & Add test cases (#12054)

* Add test cases

* Fix uts

* Add fj2 test

* save

* Fix check

* Disable some test cases

* Fix test

Author: AlbumenJ

dubbo-common/src/main/java/org/apache/dubbo/common/utils/ClassUtils.java

@@ -74,20 +74,20 @@ public class ClassUtils {
      * @since 2.7.6
      */
     public static final Set<Class<?>> SIMPLE_TYPES = ofSet(
-            Void.class,
-            Boolean.class,
-            Character.class,
-            Byte.class,
-            Short.class,
-            Integer.class,
-            Long.class,
-            Float.class,
-            Double.class,
-            String.class,
-            BigDecimal.class,
-            BigInteger.class,
-            Date.class,
-            Object.class
+        Void.class,
+        Boolean.class,
+        Character.class,
+        Byte.class,
+        Short.class,
+        Integer.class,
+        Long.class,
+        Float.class,
+        Double.class,
+        String.class,
+        BigDecimal.class,
+        BigInteger.class,
+        Date.class,
+        Object.class
     );
     /**
      * Prefix for internal array class names: "[L"
@@ -118,8 +118,8 @@ public class ClassUtils {
         Set<Class<?>> primitiveTypeNames = new HashSet<>(32);
         primitiveTypeNames.addAll(PRIMITIVE_WRAPPER_TYPE_MAP.values());
         primitiveTypeNames.addAll(Arrays
-                .asList(boolean[].class, byte[].class, char[].class, double[].class,
-                        float[].class, int[].class, long[].class, short[].class));
+            .asList(boolean[].class, byte[].class, char[].class, double[].class,
+                float[].class, int[].class, long[].class, short[].class));
         for (Class<?> primitiveTypeName : primitiveTypeNames) {
             PRIMITIVE_TYPE_NAME_MAP.put(primitiveTypeName.getName(), primitiveTypeName);
         }
@@ -137,12 +137,12 @@ public class ClassUtils {
     private static final char PACKAGE_SEPARATOR_CHAR = '.';
 
     public static Class<?> forNameWithThreadContextClassLoader(String name)
-            throws ClassNotFoundException {
+        throws ClassNotFoundException {
         return forName(name, Thread.currentThread().getContextClassLoader());
     }
 
     public static Class<?> forNameWithCallerClassLoader(String name, Class<?> caller)
-            throws ClassNotFoundException {
+        throws ClassNotFoundException {
         return forName(name, caller.getClassLoader());
     }
 
@@ -224,7 +224,7 @@ public static Class<?> forName(String name) throws ClassNotFoundException {
      * @see Class#forName(String, boolean, ClassLoader)
      */
     public static Class<?> forName(String name, ClassLoader classLoader)
-            throws ClassNotFoundException, LinkageError {
+        throws ClassNotFoundException, LinkageError {
 
         Class<?> clazz = resolvePrimitiveClassName(name);
         if (clazz != null) {
@@ -244,7 +244,7 @@ public static Class<?> forName(String name, ClassLoader classLoader)
             String elementClassName = null;
             if (internalArrayMarker == 0) {
                 elementClassName = name
-                        .substring(INTERNAL_ARRAY_PREFIX.length(), name.length() - 1);
+                    .substring(INTERNAL_ARRAY_PREFIX.length(), name.length() - 1);
             } else if (name.startsWith("[")) {
                 elementClassName = name.substring(1);
             }
@@ -354,7 +354,7 @@ public static Object convertPrimitive(FrameworkModel frameworkModel, Class<?> ty
      */
     public static boolean isTypeMatch(Class<?> type, String value) {
         if ((type == boolean.class || type == Boolean.class)
-                && !("true".equals(value) || "false".equals(value))) {
+            && !("true".equals(value) || "false".equals(value))) {
             return false;
         }
         return true;
@@ -408,18 +408,18 @@ public static Set<Class<?>> getAllInterfaces(Class<?> type, Predicate<Class<?>>.
             if (isNotEmpty(interfaces)) {
                 // add current interfaces
                 Arrays.stream(interfaces)
-                        .filter(resolved::add)
-                        .forEach(cls -> {
-                            allInterfaces.add(cls);
-                            waitResolve.add(cls);
-                        });
+                    .filter(resolved::add)
+                    .forEach(cls -> {
+                        allInterfaces.add(cls);
+                        waitResolve.add(cls);
+                    });
             }
 
             // add all super classes to waitResolve
             getAllSuperClasses(clazz)
-                    .stream()
-                    .filter(resolved::add)
-                    .forEach(waitResolve::add);
+                .stream()
+                .filter(resolved::add)
+                .forEach(waitResolve::add);
 
             clazz = waitResolve.poll();
         }
@@ -535,7 +535,7 @@ public static String[] getMethodNames(Class<?> tClass) {
         }
         Method[] methods = Arrays.stream(tClass.getMethods())
             .collect(Collectors.toList())
-            .toArray(new Method[] {});
+            .toArray(new Method[]{});
         List<String> mns = new ArrayList<>(); // method names.
         boolean hasMethod = hasMethods(methods);
         if (hasMethod) {
@@ -551,6 +551,44 @@ public static String[] getMethodNames(Class<?> tClass) {
         return mns.toArray(new String[0]);
     }
 
+    public static boolean isMatch(Class<?> from, Class<?> to) {
+        if (from == to) {
+            return true;
+        }
+        boolean isMatch;
+        if (from.isPrimitive()) {
+            isMatch = matchPrimitive(from, to);
+        } else if (to.isPrimitive()) {
+            isMatch = matchPrimitive(to, from);
+        } else {
+            isMatch = to.isAssignableFrom(from);
+        }
+        return isMatch;
+    }
+
+    private static boolean matchPrimitive(Class<?> from, Class<?> to) {
+        if (from == boolean.class) {
+            return to == Boolean.class;
+        } else if (from == byte.class) {
+            return  to == Byte.class;
+        } else if (from == char.class) {
+            return  to == Character.class;
+        } else if (from == short.class) {
+            return  to == Short.class;
+        } else if (from == int.class) {
+            return  to == Integer.class;
+        } else if (from == long.class) {
+            return  to == Long.class;
+        } else if (from == float.class) {
+            return  to == Float.class;
+        } else if (from == double.class) {
+            return  to == Double.class;
+        } else if (from == void.class) {
+            return  to == Void.class;
+        }
+        return false;
+    }
+
     /**
      * get method name array.
      *
@@ -562,7 +600,7 @@ public static String[] getDeclaredMethodNames(Class<?> tClass) {
         }
         Method[] methods = Arrays.stream(tClass.getMethods())
             .collect(Collectors.toList())
-            .toArray(new Method[] {});
+            .toArray(new Method[]{});
         List<String> dmns = new ArrayList<>(); // method names.
         boolean hasMethod = hasMethods(methods);
         if (hasMethod) {

dubbo-dependencies-bom/pom.xml

@@ -100,7 +100,7 @@
         <httpclient_version>4.5.13</httpclient_version>
         <httpcore_version>4.4.6</httpcore_version>
         <fastjson_version>1.2.83</fastjson_version>
-        <fastjson2_version>2.0.23</fastjson2_version>
+        <fastjson2_version>2.0.27</fastjson2_version>
         <zookeeper_version>3.4.14</zookeeper_version>
         <curator_version>4.2.0</curator_version>
         <curator_test_version>2.12.0</curator_test_version>

dubbo-remoting/dubbo-remoting-api/src/main/java/org/apache/dubbo/remoting/exchange/codec/ExchangeCodec.java

@@ -414,7 +414,7 @@ protected void encodeData(ObjectOutput out, Object data) throws IOException {
     }
 
     private void encodeEventData(ObjectOutput out, Object data) throws IOException {
-        out.writeEvent(data);
+        out.writeEvent((String) data);
     }
 
     @Deprecated

dubbo-remoting/dubbo-remoting-api/src/test/java/org/apache/dubbo/remoting/codec/ExchangeCodecTest.java

@@ -37,6 +37,7 @@
 
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 
@@ -261,6 +262,7 @@ public void test_Decode_Return_Response_Error() throws IOException {
     }
 
     @Test
+    @Disabled("Event should not be object.")
     void test_Decode_Return_Request_Event_Object() throws IOException {
         //|10011111|20-stats=ok|id=0|length=0
         byte[] header = new byte[]{MAGIC_HIGH, MAGIC_LOW, (byte) (SERIALIZATION_BYTE | (byte) 0xe0), 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
@@ -306,6 +308,7 @@ void test_Decode_Return_Request_Heartbeat_Object() throws IOException {
     }
 
     @Test
+    @Disabled("Event should not be object.")
     void test_Decode_Return_Request_Object() throws IOException {
         //|10011111|20-stats=ok|id=0|length=0
         byte[] header = new byte[]{MAGIC_HIGH, MAGIC_LOW, (byte) (SERIALIZATION_BYTE | (byte) 0xe0), 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
@@ -393,6 +396,7 @@ void test_Encode_Request() throws IOException {
     }
 
     @Test
+    @Disabled("Event should not be object.")
     void test_Encode_Response() throws IOException {
         DefaultFuture future = DefaultFuture.newFuture(Mockito.mock(Channel.class), new Request(1001), 100000, null);
 

dubbo-serialization/dubbo-serialization-api/src/main/java/org/apache/dubbo/common/serialize/ObjectInput.java

@@ -78,8 +78,8 @@ default Throwable readThrowable() throws IOException, ClassNotFoundException {
         return (Throwable) obj;
     }
 
-    default Object readEvent() throws IOException, ClassNotFoundException {
-        return readObject();
+    default String readEvent() throws IOException, ClassNotFoundException {
+        return readUTF();
     }
 
     default Map<String, Object> readAttachments() throws IOException, ClassNotFoundException {

dubbo-serialization/dubbo-serialization-api/src/main/java/org/apache/dubbo/common/serialize/ObjectOutput.java

@@ -45,11 +45,11 @@ public interface ObjectOutput extends DataOutput {
      * restricting the content of headers / attachments to Ascii strings and uses ISO_8859_1 to encode them.
      * https://tools.ietf.org/html/rfc7540#section-8.1.2
      */
-    default void writeThrowable(Object obj) throws IOException {
+    default void writeThrowable(Throwable obj) throws IOException {
         writeObject(obj);
     }
 
-    default void writeEvent(Object data) throws IOException {
+    default void writeEvent(String data) throws IOException {
         writeObject(data);
     }
 

dubbo-serialization/dubbo-serialization-fastjson2/pom.xml

@@ -45,5 +45,4 @@ limitations under the License.
             <artifactId>fastjson2</artifactId>
         </dependency>
     </dependencies>
-
 </project>

dubbo-serialization/dubbo-serialization-fastjson2/src/main/java/org/apache/dubbo/common/serialize/fastjson2/FastJson2ObjectInput.java

@@ -16,15 +16,16 @@
  */
 package org.apache.dubbo.common.serialize.fastjson2;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.lang.reflect.Type;
-
 import org.apache.dubbo.common.serialize.ObjectInput;
+import org.apache.dubbo.common.utils.ClassUtils;
 
 import com.alibaba.fastjson2.JSONB;
 import com.alibaba.fastjson2.JSONReader;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Type;
+
 /**
  * FastJson object input implementation
  */
@@ -112,22 +113,28 @@ public <T> T readObject(Class<T> cls) throws IOException {
             throw new IllegalArgumentException("deserialize failed. expected read length: " + length + " but actual read: " + read);
         }
         Fastjson2SecurityManager.Handler securityFilter = fastjson2SecurityManager.getSecurityFilter();
+        T result;
         if (securityFilter.isCheckSerializable()) {
-            return (T) JSONB.parseObject(bytes, Object.class, securityFilter,
+            result = JSONB.parseObject(bytes, cls, securityFilter,
                 JSONReader.Feature.UseDefaultConstructorAsPossible,
                 JSONReader.Feature.ErrorOnNoneSerializable,
+                JSONReader.Feature.IgnoreAutoTypeNotMatch,
                 JSONReader.Feature.UseNativeObject,
                 JSONReader.Feature.FieldBased);
         } else {
-            return (T) JSONB.parseObject(bytes, Object.class, securityFilter,
+            result = JSONB.parseObject(bytes, cls, securityFilter,
                 JSONReader.Feature.UseDefaultConstructorAsPossible,
                 JSONReader.Feature.UseNativeObject,
+                JSONReader.Feature.IgnoreAutoTypeNotMatch,
                 JSONReader.Feature.FieldBased);
         }
+        if (result != null && cls != null && !ClassUtils.isMatch(result.getClass(), cls)) {
+            throw new IllegalArgumentException("deserialize failed. expected class: " + cls + " but actual class: " + result.getClass());
+        }
+        return result;
     }
 
     @Override
-    @SuppressWarnings("unchecked")
     public <T> T readObject(Class<T> cls, Type type) throws IOException, ClassNotFoundException {
         updateClassLoaderIfNeed();
         int length = readLength();
@@ -137,18 +144,25 @@ public <T> T readObject(Class<T> cls, Type type) throws IOException, ClassNotFou
             throw new IllegalArgumentException("deserialize failed. expected read length: " + length + " but actual read: " + read);
         }
         Fastjson2SecurityManager.Handler securityFilter = fastjson2SecurityManager.getSecurityFilter();
+        T result;
         if (securityFilter.isCheckSerializable()) {
-            return (T) JSONB.parseObject(bytes, Object.class, securityFilter,
+            result = JSONB.parseObject(bytes, cls, securityFilter,
                 JSONReader.Feature.UseDefaultConstructorAsPossible,
                 JSONReader.Feature.ErrorOnNoneSerializable,
+                JSONReader.Feature.IgnoreAutoTypeNotMatch,
                 JSONReader.Feature.UseNativeObject,
                 JSONReader.Feature.FieldBased);
         } else {
-            return (T) JSONB.parseObject(bytes, Object.class, securityFilter,
+            result = JSONB.parseObject(bytes, cls, securityFilter,
                 JSONReader.Feature.UseDefaultConstructorAsPossible,
                 JSONReader.Feature.UseNativeObject,
+                JSONReader.Feature.IgnoreAutoTypeNotMatch,
                 JSONReader.Feature.FieldBased);
         }
+        if (result != null && cls != null && !ClassUtils.isMatch(result.getClass(), cls)) {
+            throw new IllegalArgumentException("deserialize failed. expected class: " + cls + " but actual class: " + result.getClass());
+        }
+        return result;
     }
 
     private void updateClassLoaderIfNeed() {

dubbo-serialization/dubbo-serialization-fastjson2/src/test/java/com/example/test/TestPojo.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.example.test;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+public class TestPojo implements Serializable {
+    private final String data;
+
+    public TestPojo(String data) {
+        this.data = data;
+    }
+
+    @Override
+    public String toString() {
+        throw new IllegalAccessError();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        TestPojo testPojo = (TestPojo) o;
+        return Objects.equals(data, testPojo.data);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(data);
+    }
+}