[Bug] [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list.

[songxiaosheng]

Pre-check

• I am sure that all the content I provide is in English.

Search before asking

• I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

dubbo-3.3.0-beta.3-SNAPSHOT.jar

Steps to reproduce this issue

when i upgrade dubbo-3.3.0-beta.3-SNAPSHOT.jar it will show this error,i think it is violent and incompatible

Wrapped by: java.util.concurrent.ExecutionException: org.apache.dubbo.remoting.RemotingException: java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
	at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.handleToIOException(DefaultSerializationExceptionWrapper.java:353)
	at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.access$000(DefaultSerializationExceptionWrapper.java:27)
	at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper$ProxyObjectInput.readThrowable(DefaultSerializationExceptionWrapper.java:181)
	at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.handleException(DecodeableRpcResult.java:186)
	at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:114)
	at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:153)
	at org.apache.dubbo.remoting.transport.DecodeHandler.decode(DecodeHandler.java:61)
	at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:49)
	at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64)
	at org.apache.dubbo.common.threadpool.ThreadlessExecutor$RunnableWrapper.run(ThreadlessExecutor.java:151)
	at org.apache.dubbo.common.threadpool.ThreadlessExecutor.waitAndDrain(ThreadlessExecutor.java:77)

What you expected to happen

The upgrade package version should not directly cause incompatible errors. Can this check be turned off by default?

Anything else

No response

Are you willing to submit a pull request to fix on your own?

• Yes I am willing to submit a pull request on my own!

Code of Conduct

• I agree to follow this project's Code of Conduct

[AlbumenJ]

Please add it into the default allow list

[songxiaosheng]

Please add it into the default allow list

Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading

[AlbumenJ]

Please add it into the default allow list

Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading

No, blacklist cannot resolve the serialization risk. Security is more impartant that usability.

[xixingya]

maybe set SerializeCheckStatus mode to warn can works?

[xixingya]

Perhaps you can add the following content to the public namespace of Dubbo in the configuration center.

dubbo:
  application:
    serialize-check-status: WARN

[xixingya]

If there are no further issues, please close this issue. @songxiaosheng