Merge pull request #1087 from weibocom/fix_security_issue

rayzhang0603 · web-flow · commit 4c18b71e4491 · 2025-11-24T18:37:42.000+08:00
add serialize blacklist
diff --git a/motan-core/src/main/java/com/weibo/api/motan/serialize/Hessian2Serialization.java b/motan-core/src/main/java/com/weibo/api/motan/serialize/Hessian2Serialization.java
@@ -175,6 +175,10 @@ private static SerializerFactory initDefaultSerializerFactory() {
                 classFactory.deny("sun.print.*");
                 classFactory.deny("sun.rmi.*");
                 classFactory.deny("sun.swing.*");
+                classFactory.deny("com.alibaba.citrus.springext.*");
+                classFactory.deny("com.alipay.custrelation.*");
+                classFactory.deny("com.alibaba.druid.*");
+                classFactory.deny("org.apache.catalina.tribes.*");
             } catch (Exception e) {
                 LoggerUtil.warn("Hessian2Serialization init deny list failed, please upgrade hessian to version 4.0.66 or later", e);
             }
