Open keith-turner opened 1 year ago
It has been discussed to look into using Java Records (jdk-14?) when we can to avoid the serialization issue.
It has been discussed to look into using Java Records (jdk-14?) when we can to avoid the serialization issue.
It would be good to move away from java serialization in Fate. Json+Gson would be nice or if Java records works that would be nice. While we are using java serialization it would be good to make it more strict.
Changing the overall serialization should be done in a major release. If this ticket is targeting something more narrow for 2.1 only, that might be nice. But it still may be a lot of effort without much return, if we're going to change to a safer serialization strategy anyway after 2.1/3.0, which I'd love to do for 3.1.
Describe the bug Fate uses java serialization w/o any validation of the java objects read from persistent storage. Starting with Java 9 there is a new mechanism that could be used to validate object prior to deserialization.
The following is a diff for a quick experiment I did that did not work. With the following change a sunny day IT would not run and the manager logs were full of errors. So the following is probably too strict, did not look into why it was failing.
Expected behavior Fate deserialization only works with a narrow set of types.