AllowListChecker not working as expected from documentation #3530
Description
Search before asking
- I had searched in the issues and found no similar issues.
Version
Fory f = Fory.builder()
.withLanguage(Language.JAVA)
.requireClassRegistration(true)
.withRefTracking(true)
.withRefCopy(true)
.withNumberCompressed(false)
.serializeEnumByName(true)
.withClassLoader(classLoader)
.build();
This is my Fory serializer setup like the documentation with checker.allowClass("my.packages.*");
But running it like this give me following exception
[org.apache.fory.Fory:156] INFO - Created new fory org.apache.fory.Fory@4b078f28 201
org.apache.fory.exception.InsecureException: class MyUnRegisteredClassThatsInAllowList is not registered, please check whether it's the type you want to serialize or a **vulnerability**. If safe, you should invoke `Fory#register` to register class, which will have better performance by skipping classname serialization. If your env is 100% secure, you can also avoid this exception by disabling class registration check using `ForyBuilder#requireClassRegistration(false)`
Component(s)
JavaScript, Java
Minimal reproduce step
Serializing a class that's not registed but covered in AllowListChecker fails.
What did you expect to see?
Fory not throwing any exception.
What did you see instead?
Exception from Fory even though the class package is in AllowListChecker
Anything Else?
No response
Are you willing to submit a PR?
- I'm willing to submit a PR!