From 73cf56f3a2c3e47c97388cf76972dc2ab77d54f9 Mon Sep 17 00:00:00 2001
From: Looly <loolly@gmail.com>
Date: Tue, 28 Mar 2023 19:09:59 +0800
Subject: [PATCH] =?UTF-8?q?SerializeUtil.deserialize=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95=E7=B1=BB=EF=BC=8C=E9=81=BF=E5=85=8D?=
 =?UTF-8?q?RCE=20vulnerability?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md                                        |  3 ++-
 .../main/java/cn/hutool/core/util/ObjectUtil.java   |  5 +++--
 .../java/cn/hutool/core/util/SerializeUtil.java     | 13 +++++++++++--
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6fe309d69..f54b17698 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,9 +2,10 @@
 # 🚀Changelog
 
 -------------------------------------------------------------------------------------------------------------
-# 5.8.17.M1 (2023-03-26)
+# 5.8.17.M1 (2023-03-28)
 
 ### 🐣新特性
+* 【core  】      SerializeUtil.deserialize增加白名单类，避免RCE vulnerability（issue#3021@Github）
 
 ### 🐞Bug修复
 
diff --git a/hutool-core/src/main/java/cn/hutool/core/util/ObjectUtil.java b/hutool-core/src/main/java/cn/hutool/core/util/ObjectUtil.java
index 5b1b73dc6..62d6f005a 100644
--- a/hutool-core/src/main/java/cn/hutool/core/util/ObjectUtil.java
+++ b/hutool-core/src/main/java/cn/hutool/core/util/ObjectUtil.java
@@ -588,10 +588,11 @@ public class ObjectUtil {
 	 *
 	 * @param <T>   对象类型
 	 * @param bytes 反序列化的字节码
+	 * @param acceptClasses 白名单的类
 	 * @return 反序列化后的对象
 	 */
-	public static <T> T deserialize(byte[] bytes) {
-		return SerializeUtil.deserialize(bytes);
+	public static <T> T deserialize(byte[] bytes, Class<?>... acceptClasses) {
+		return SerializeUtil.deserialize(bytes, acceptClasses);
 	}
 
 	/**
diff --git a/hutool-core/src/main/java/cn/hutool/core/util/SerializeUtil.java b/hutool-core/src/main/java/cn/hutool/core/util/SerializeUtil.java
index f2c10c1ec..ae801c049 100644
--- a/hutool-core/src/main/java/cn/hutool/core/util/SerializeUtil.java
+++ b/hutool-core/src/main/java/cn/hutool/core/util/SerializeUtil.java
@@ -2,9 +2,12 @@ package cn.hutool.core.util;
 
 import cn.hutool.core.exceptions.UtilException;
 import cn.hutool.core.io.FastByteArrayOutputStream;
+import cn.hutool.core.io.IORuntimeException;
 import cn.hutool.core.io.IoUtil;
+import cn.hutool.core.io.ValidateObjectInputStream;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.Serializable;
 
 /**
@@ -59,9 +62,15 @@ public class SerializeUtil {
 	 *
 	 * @param <T>   对象类型
 	 * @param bytes 反序列化的字节码
+	 * @param acceptClasses 白名单的类
 	 * @return 反序列化后的对象
 	 */
-	public static <T> T deserialize(byte[] bytes) {
-		return IoUtil.readObj(new ByteArrayInputStream(bytes));
+	public static <T> T deserialize(byte[] bytes, Class<?>... acceptClasses) {
+		try {
+			return IoUtil.readObj(new ValidateObjectInputStream(
+					new ByteArrayInputStream(bytes), acceptClasses));
+		} catch (IOException e) {
+			throw new IORuntimeException(e);
+		}
 	}
 }