IOException will be thrown if the data type is java.time.LocalTime

[xiaowang-edu]

Your question

When the data type is 'java.time.LocalTime', 'com.caucho.hessian.io.java8.LocalTimeHandle' will be blacklisted and then throw an IOException. Do I need to customize the parsing for Java 8 time types?

Your scenes

Because there are many entity types in my project that use java.time.LocalTime, but looking at the source code for com.alipay.sofa:hession, there is also serialization and parsing of Java 8. I don't understand why it has to be added to the blacklist again.
I really hope I can get your help, thank you.

Your advice

I hope to be able to use the serialization parser of Java 8 type that comes with com.alipay.sofa:hession.

Environment

• SOFARPC version:5.12.0
• JVM version:1.8
• OS version:Windows10
• Maven version:3.8.8
• IDE version:2020.1.4
• protocols：bolt + hessian2

[Jiiiiiin]

com.alipay.sofa.rpc.core.exception.SofaRpcException: com.alipay.remoting.exception.SerializationException: java.io.IOException: Class com.caucho.hessian.io.java8.LocalDateHandle is in blacklist. 
	at com.alipay.sofa.rpc.transport.bolt.BoltClientTransport.convertToRpcException(BoltClientTransport.java:344)
	at com.alipay.sofa.rpc.transport.bolt.BoltClientTransport.syncSend(BoltClientTransport.java:259)
	at com.alipay.sofa.rpc.client.AbstractCluster.doSendMsg(AbstractCluster.java:613)
	at com.alipay.sofa.rpc.client.AbstractCluster.sendMsg(AbstractCluster.java:584)
	at com.alipay.sofa.rpc.filter.ConsumerInvoker.invoke(ConsumerInvoker.java:63)
	at com.alipay.sofa.rpc.filter.ConsumerCustomHeaderFilter.invoke(ConsumerCustomHeaderFilter.java:47)
	at com.alipay.sofa.rpc.filter.FilterInvoker.invoke(FilterInvoker.java:100)
	at com.alipay.sofa.rpc.filter.PressureMarkTransformFilter.invoke(PressureMarkTransformFilter.java:63)
	at com.alipay.sofa.rpc.filter.FilterInvoker.invoke(FilterInvoker.java:100)
	at io.opentelemetry.javaagent.instrumentation.sofarpc.SofaRpcServerFilter.invoke(SofaRpcServerFilter.java:44)
	at io.opentelemetry.javaagent.instrumentation.sofarpc.OpenTelemetryFilter.invoke(OpenTelemetryFilter.java:28)
	at com.alipay.sofa.rpc.filter.FilterInvoker.invoke(FilterInvoker.java:100)
...

Caused by: java.io.IOException: Class com.caucho.hessian.io.java8.LocalDateHandle is in blacklist. 
	at com.alipay.hessian.NameBlackListFilter.resolve(NameBlackListFilter.java:158)
	at com.alipay.hessian.ClassNameResolver.resolve(ClassNameResolver.java:99)
	at com.caucho.hessian.io.SerializerFactory.getSerializer(SerializerFactory.java:190)
	... 130 common frames omitted

相同问题：

SOFARPC version:5.13.1
JVM version:1.8

能否指导一下如何“本地配置自定义blacklist” 给予上游同步一些准备时间；

[nobodyiam]

It appears that there is overridden logic you may use.

sofa-rpc/codec/codec-api/src/main/java/com/alipay/sofa/rpc/codec/common/BlackAndWhiteListFileLoader.java

Lines 50 to 73 in 7150804

	public static List<String> loadBlackListFile(String path) {
	List<String> blackPrefixList = new ArrayList<>();
	InputStream input = null;
	try {
	input = BlackAndWhiteListFileLoader.class.getResourceAsStream(path);
	if (input != null) {
	readToList(input, "UTF-8", blackPrefixList);
	}
	String overStr = SofaConfigs.getOrCustomDefault(SERIALIZE_BLACKLIST_OVERRIDE, "");
	if (StringUtils.isNotBlank(overStr)) {
	if (LOGGER.isInfoEnabled()) {
	LOGGER.info("Serialize blacklist will override with configuration: {}", overStr);
	}
	overrideBlackList(blackPrefixList, overStr);
	}
	} catch (Exception e) {
	if (LOGGER.isErrorEnabled()) {
	LOGGER.error(e.getMessage(), e);
	}
	} finally {
	closeQuietly(input);
	}
	return blackPrefixList;
	}

[Jiiiiiin]

@nobodyiam 谢谢老师
原来作者已经给出方法：

    @Test
    public void overrideBlackList() {
        List<String> origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-*");
        Assert.assertTrue(origin.size() == 0);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "!*");
        Assert.assertTrue(origin.size() == 0);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-default");
        Assert.assertTrue(origin.size() == 0);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "!default");
        Assert.assertTrue(origin.size() == 0);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-*,-com.xxx");
        Assert.assertTrue(origin.size() == 0);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "aaa,-*,-com.xxx");
        Assert.assertTrue(origin.size() == 1);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-*,aaa");
        Assert.assertTrue(origin.size() == 1);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-com.xxx");
        Assert.assertTrue(origin.size() == 2);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "-com.xxx,-com.yyy");
        Assert.assertTrue(origin.size() == 1);

        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "com.xxx,-com.yyy");
        Assert.assertTrue(origin.size() == 2);
        origin = buildOriginList();
        BlackAndWhiteListFileLoader.overrideBlackList(origin, "com.aaa,-com.yyy");
        // ...
}

[Jiiiiiin]

@nobodyiam 老师看到关联项目一直有在做安全相关处理，支持只定义也在其中，Fix hessian sec issue for 4 #33 ，但又一下几个问题请教：

• 关联项目 sofa-hessian 本来就是对 hessian的一种扩展，为何黑名单直接包含了其 gourp-id？我看上面这个 fix 最开始仅仅把 com.caucho.hessian.test.TestCons 列入其内，背后的逻辑描述是：增加序列化黑名单（来自蚂蚁金服安全团队）
  不知道哪里能查询到具体的安全风险点？然后下游应用才好针对性的进行自评，否则一个漏洞风险，或者一个隐势（非编译器报错）的生产环境报错，可能整个应用技术栈就被质疑。

也就是风险相关虽然可以检索收集，但是如果官方（不单单是 rpc 而是整个 sofa-boot）有一个明细就更好了

不好意思看到了：https://github.com/sofastack/sofa-rpc/security

另外补充几个：

1. CVE-2023-3635
2. CVE-2024-9622