optimize: optimize fury deserialization (#7498)

GoodBoyCoder · web-flow · commit d2a18aef82c0 · 2025-07-05T23:18:31.000+08:00
diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
@@ -31,6 +31,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#7356](https://github.com/apache/incubator-seata/pull/7356)] fix codecov bug
 - [[#7370](https://github.com/apache/incubator-seata/pull/7370)] fix ISSUE_TEMPLATE not work
 - [[#7397](https://github.com/apache/incubator-seata/pull/7397)] Resolve NullPointer and port binding errors
+- [[#7498](https://github.com/apache/incubator-seata/pull/7498)] fix the class name whitelist check issue in fury deserialization
 
 
 ### optimize:
@@ -138,6 +139,7 @@ Thanks to these contributors for their code commits. Please report an unintended
 - [jsbxyyx](https://github.com/jsbxyyx)
 - [simzyoo](https://github.com/simzyoo)
 - [Dltmd202](https://github.com/Dltmd202)
+- [GoodBoyCoder](https://github.com/GoodBoyCoder)
 
 
 
diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
@@ -30,6 +30,7 @@
 - [[#7356](https://github.com/apache/incubator-seata/pull/7356)] 修复 codecov 错误
 - [[#7370](https://github.com/apache/incubator-seata/pull/7370)] 修复 ISSUE_TEMPLATE 不可用
 - [[#7397](https://github.com/apache/incubator-seata/pull/7397)] 解决空指针和端口绑定错误
+- [[#7498](https://github.com/apache/incubator-seata/pull/7498)] 修复fury反序列化的类名白名单检查问题
 
 
 ### optimize:
@@ -138,6 +139,7 @@
 - [YvCeung](https://github.com/YvCeung)
 - [jsbxyyx](https://github.com/jsbxyyx)
 - [simzyoo](https://github.com/simzyoo)
+- [GoodBoyCoder](https://github.com/GoodBoyCoder)
 
 
 同时，我们收到了社区反馈的很多有价值的issue和建议，非常感谢大家。
diff --git a/serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java b/serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java
@@ -21,6 +21,7 @@
 import org.apache.fury.ThreadSafeFury;
 import org.apache.fury.config.CompatibleMode;
 import org.apache.fury.config.Language;
+import org.apache.fury.resolver.AllowListChecker;
 import org.apache.seata.core.serializer.SerializerSecurityRegistry;
 
 public class FurySerializerFactory {
@@ -41,9 +42,9 @@ public class FurySerializerFactory {
                 .build();
 
         // register allow class
-        f.getClassResolver()
-                .setClassChecker((classResolver, className) ->
-                        SerializerSecurityRegistry.getAllowClassPattern().contains(className));
+        AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT);
+        f.getClassResolver().setClassChecker(checker);
+        checker.allowClasses(SerializerSecurityRegistry.getAllowClassPattern());
         return f;
     });
 
