apache · funky-eyes · Aug 13, 2024 · Aug 13, 2024 · Aug 13, 2024
diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md
@@ -51,6 +51,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6743](https://github.com/apache/incubator-seata/pull/6743)] upgrade npmjs version in saga
 - [[#6746](https://github.com/apache/incubator-seata/pull/6746)] optimize compatible dependencies
 - [[#6745](https://github.com/apache/incubator-seata/pull/6745)] fix node-gyp build error on arm64 and macos
+- [[#6747](https://github.com/apache/incubator-seata/pull/6747)] optimize fastjson deserialization
 
 
 ### refactor:

diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md
@@ -52,6 +52,7 @@
 - [[#6743](https://github.com/apache/incubator-seata/pull/6743)] 升级saga模块npmjs版本
 - [[#6746](https://github.com/apache/incubator-seata/pull/6746)] 优化 compatible 模块依赖
 - [[#6745](https://github.com/apache/incubator-seata/pull/6745)] 修复 node-gyp 在 arm64 和 macos 构建失败问题
+- [[#6747](https://github.com/apache/incubator-seata/pull/6747)] y优化 fastjson 反序列化
 
 
 

diff --git a/integration/http/src/main/java/org/apache/seata/integration/http/AbstractHttpExecutor.java b/integration/http/src/main/java/org/apache/seata/integration/http/AbstractHttpExecutor.java
@@ -16,12 +16,16 @@
  */
 package org.apache.seata.integration.http;
 
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONException;
 import com.alibaba.fastjson.JSONObject;
+import com.alibaba.fastjson.parser.ParserConfig;
 import com.alibaba.fastjson.serializer.SerializerFeature;
-import org.apache.seata.common.util.CollectionUtils;
-import org.apache.seata.core.context.RootContext;
+
 import org.apache.http.HttpResponse;
 import org.apache.http.HttpStatus;
 import org.apache.http.client.methods.CloseableHttpResponse;
@@ -34,20 +38,23 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.util.Args;
+import org.apache.seata.common.util.CollectionUtils;
+import org.apache.seata.core.context.RootContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-
 /**
  * Abstract http executor.
  *
  */
 public abstract class AbstractHttpExecutor implements HttpExecutor {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(AbstractHttpExecutor.class);
+    private static final ParserConfig LOCAL_CONFIG = new ParserConfig();
+
+    static {
+        LOCAL_CONFIG.setSafeMode(true);
+    }
 
     @Override
     public <T, K> K executePost(String host, String path, T paramObject, Class<K> returnType) throws IOException {
@@ -84,10 +91,15 @@ private <T> StringEntity execute(String host, String path, T paramObject) {
         if (paramObject != null) {
             String content;
             if (paramObject instanceof String) {
-                String sParam = (String) paramObject;
+                String sParam = (String)paramObject;
                 JSONObject jsonObject = null;
                 try {
-                    jsonObject = JSON.parseObject(sParam);
+                    Object obj = JSON.parse(sParam, LOCAL_CONFIG);
+                    if (obj instanceof JSONObject) {
+                        jsonObject = (JSONObject)obj;
+                    } else {
+                        jsonObject = (JSONObject)JSON.toJSON(obj);
+                    }
                     content = jsonObject.toJSONString();
                 } catch (JSONException e) {
                     //Interface provider process parse exception
@@ -99,8 +111,7 @@ private <T> StringEntity execute(String host, String path, T paramObject) {
 
             } else {
                 content = JSON.toJSONString(paramObject);
-            }
-            entity = new StringEntity(content, ContentType.APPLICATION_JSON);
+            } entity = new StringEntity(content, ContentType.APPLICATION_JSON);
         }
 
         return buildEntity(entity, paramObject);
@@ -165,11 +176,12 @@ private <K> K wrapHttpExecute(Class<K> returnType, CloseableHttpClient httpClien
 
 
     public static Map<String, String> convertParamOfBean(Object sourceParam) {
-        return CollectionUtils.toStringMap(JSON.parseObject(JSON.toJSONString(sourceParam, SerializerFeature.WriteNullStringAsEmpty, SerializerFeature.WriteMapNullValue), Map.class));
+        return CollectionUtils.toStringMap(JSON.parseObject(
+            JSON.toJSONString(sourceParam, SerializerFeature.WriteNullStringAsEmpty,
+                SerializerFeature.WriteMapNullValue), Map.class, LOCAL_CONFIG));
     }
 
-    @SuppressWarnings("lgtm[java/unsafe-deserialization]")
     public static <T> Map<String, String> convertParamOfJsonString(String jsonStr, Class<T> returnType) {
-        return convertParamOfBean(JSON.parseObject(jsonStr, returnType));
+        return convertParamOfBean(JSON.parseObject(jsonStr, returnType, LOCAL_CONFIG));
     }
 }