Skip to content

Commit

Permalink
[Java][Doc] enable requireClassRegistration in example by default (#1250
Browse files Browse the repository at this point in the history 
)

<!--
Thank you for your contribution!

Please review https://github.com/alipay/fury/blob/main/CONTRIBUTING.rst
before opening a pull request.
-->

## What do these changes do?
Disable class registration is dangerouse, we should enable class
registration by default even in doc.

<!-- Please give a short brief about these changes. -->

## Related issue number

<!-- Are there any issues opened that will be resolved by merging this
change? -->
Closes #xxxx

## Check code requirements

- [ ] tests added / passed (if needed)
- [ ] Ensure all linting tests pass, see
[here](https://github.com/alipay/fury/blob/main/CONTRIBUTING.rst) for
how to run them
  • Loading branch information
@chaokunyang
chaokunyang authored Dec 26, 2023
1 parent 7c495bb commit 0ac6ec9
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 7 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ public class Example {
Fury fury = Fury.builder().withLanguage(Language.JAVA)
// Allow to deserialize objects unknown types, more flexible
// but may be insecure if the classes contains malicious code.
.requireClassRegistration(false)
.requireClassRegistration(true)
.build();
// Registering types can reduce class name serialization overhead, but not mandatory.
// If class registration enabled, all custom types must be registered.
Expand All @@ -173,7 +173,7 @@ public class Example {
ThreadSafeFury fury = Fury.builder().withLanguage(Language.JAVA)
// Allow to deserialize objects unknown types, more flexible
// but may be insecure if the classes contains malicious code.
.requireClassRegistration(false)
.requireClassRegistration(true)
.buildThreadSafeFury();
byte[] bytes = fury.serialize(object);
System.out.println(fury.deserialize(bytes));
Expand Down
6 changes: 3 additions & 3 deletions docs/guide/java_object_graph_guide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ public class Example {
Fury fury = Fury.builder().withLanguage(Language.JAVA)
// Allow to deserialize objects unknown types, more flexible
// but may be insecure if the classes contains malicious code.
.requireClassRegistration(false)
.requireClassRegistration(true)
.build();
// Registering types can reduce class name serialization overhead, but not mandatory.
// If class registration enabled, all custom types must be registered.
Expand Down Expand Up @@ -82,7 +82,7 @@ public class Example {
private static final ThreadSafeFury fury = Fury.builder()
// Allow to deserialize objects unknown types, more flexible
// but may be insecure if the classes contains malicious code.
.requireClassRegistration(false)
.requireClassRegistration(true)
.buildThreadSafeFury();

public static void main(String[] args) {
Expand Down Expand Up @@ -253,7 +253,7 @@ fury.getClassResolver().setClassChecker((classResolver, className) -> className.
```java
AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT);
ThreadSafeFury fury = new ThreadLocalFury(classLoader -> {
Fury f = Fury.builder().requireClassRegistration(false).withClassLoader(classLoader).build();
Fury f = Fury.builder().requireClassRegistration(true).withClassLoader(classLoader).build();
f.getClassResolver().setClassChecker(checker);
checker.addListener(f.getClassResolver());
return f;
Expand Down
7 changes: 5 additions & 2 deletions docs/guide/scala_guide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,18 @@ When using fury for scala serialization, you should create fury at least with fo
```scala
val fury = Fury.builder()
.withScalaOptimizationEnabled(true)
.requireClassRegistration(false)
.requireClassRegistration(true)
.withRefTracking(true)
.build()
```
Otherwise if you serialize some scala types such as `collection/Enumeration`, you will need to register some scala internal types:
Depending on the object types you serialize, you may need to register some scala internal types:
```scala
fury.register(Class.forName("scala.collection.generic.DefaultSerializationProxy"))
fury.register(Class.forName("scala.Enumeration.Val"))
```
If you want to avoid such registration, you can disable class registration by `FuryBuilder#requireClassRegistration(false)`.
Note that this option allow to deserialize objects unknown types, more flexible but may be insecure if the classes contains malicious code.

And circular references are common in scala, `Reference tracking` should be enabled by `FuryBuilder#withRefTracking(true)`. If you don't enable reference tracking, [StackOverflowError](https://github.com/alipay/fury/issues/1032) may happen for some scala versions when serializing scala Enumeration.

Note that fury instance should be shared between multiple serialization, the creation of fury instance is not cheap.
Expand Down

0 comments on commit 0ac6ec9

Please sign in to comment.