sofastack · EvenLjj · Jul 19, 2023
diff --git a/.github/workflows/cloud_code_scan.yml b/.github/workflows/cloud_code_scan.yml
@@ -0,0 +1,22 @@
+name: Alipay Cloud Devops Codescan
+on:
+  pull_request_target:
+jobs:
+  stc:   #安全扫描
+    runs-on: ubuntu-latest
+    steps:
+      - name: codeScan
+        uses: layotto/alipay-cloud-devops-codescan@main
+        with:
+          parent_uid: ${{ secrets.ALI_PID }}
+          private_key: ${{ secrets.ALI_PK }}
+          scan_type: stc
+  sca:   # 开源合规
+    runs-on: ubuntu-latest
+    steps:
+      - name: codeScan
+        uses: layotto/alipay-cloud-devops-codescan@main
+        with:
+          parent_uid: ${{ secrets.ALI_PID }}
+          private_key: ${{ secrets.ALI_PK }}
+          scan_type: sca
diff --git a/.gitignore b/.gitignore
@@ -21,4 +21,6 @@ logs/
 
 #protobuf
 example/build/*
-test/test-integration/build/*
+test/test-integration/build/*
+
+registry/registry-polaris/polaris/
diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@
 ![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)
 [![Maven](https://img.shields.io/github/release/sofastack/sofa-rpc.svg)](https://github.com/sofastack/sofa-rpc/releases)
 [![Percentage of issues still open](https://isitmaintained.com/badge/open/sofastack/sofa-rpc.svg)](https://isitmaintained.com/project/sofastack/sofa-rpc "Percentage of issues still open")
+[![Open in CodeBlitz](https://img.shields.io/badge/Ant_Codespaces-Open_in_CodeBlitz-1677ff)](https://codeblitz.cloud.alipay.com/github/sofastack/sofa-rpc)
 
 ## Overview
 

diff --git a/README_zh_CN.md b/README_zh_CN.md
@@ -4,6 +4,7 @@
 [![Coverage Status](https://codecov.io/gh/sofastack/sofa-rpc/branch/master/graph/badge.svg)](https://codecov.io/gh/sofastack/sofa-rpc)
 ![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)
 [![Maven](https://img.shields.io/github/release/sofastack/sofa-rpc.svg)](https://github.com/sofastack/sofa-rpc/releases)
+[![Open in CodeBlitz](https://img.shields.io/badge/Ant_Codespaces-Open_in_CodeBlitz-1677ff)](https://codeblitz.cloud.alipay.com/github/sofastack/sofa-rpc)
 
 SOFARPC 是一个高可扩展性、高性能、生产级的 Java RPC 框架。在蚂蚁金服 SOFARPC 已经经历了十多年及五代版本的发展。SOFARPC 致力于简化应用之间的 RPC 调用，为应用提供方便透明、稳定高效的点对点远程服务调用方案。为了用户和开发者方便的进行功能扩展，SOFARPC 提供了丰富的模型抽象和可扩展接口，包括过滤器、路由、负载均衡等等。同时围绕 SOFARPC 框架及其周边组件提供丰富的微服务治理方案。
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -7,3 +7,13 @@ If you have apprehensions regarding SOFAStack's security or you discover vulnera
 In the mail, specify the description of the issue or potential threat. You are also urged to recommend the way to reproduce and replicate the issue. The SOFAStack community will get back to you after assessing and analysing the findings.
 
 PLEASE PAY ATTENTION to report the security issue on the security email before disclosing it on public domain.
+
+## Solution
+
+SOFARPC uses Hessian serialization by default. Hessian is a binary serialization protocol. For more information, please refer to Hessian's [documentation](https://github.com/sofastack/sofa-hessian).
+
+Because of the implement of Hessian, by constructing a specific serialization stream, it may cause arbitrary code execution when doing deserialization. It is recommended that users configure blacklist to solve the problem.
+
+SOFARPC also provides a way to configure blacklists in `BlackListFileLoader`, you can override the blacklist configuration based on the code.
+
+The blacklist built into the project comes from internal practices and external contributions, and is for reference only and is not actively updated, we do not assume any legal responsibility for this.
diff --git a/all/pom.xml b/all/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.alipay.sofa</groupId>
     <artifactId>sofa-rpc-all</artifactId>
-    <version>5.10.1</version>
+    <version>5.11.1</version>
 
 
     <name>${project.groupId}:${project.artifactId}</name>
@@ -57,21 +57,21 @@
         <project.build.sourceEncoding>utf-8</project.build.sourceEncoding>
         <slf4j.version>1.7.21</slf4j.version>
         <sofa.common.tools.version>1.3.2</sofa.common.tools.version>
-        <javassist.version>3.28.0-GA</javassist.version>
+        <javassist.version>3.29.2-GA</javassist.version>
         <netty.version>4.1.44.Final</netty.version>
-        <hessian.version>3.4.0</hessian.version>
+        <hessian.version>3.5.0</hessian.version>
         <resteasy.version>3.6.3.Final</resteasy.version>
-        <bolt.version>1.5.10</bolt.version>
+        <bolt.version>1.6.6</bolt.version>
         <tracer.version>3.0.8</tracer.version>
         <lookout.version>1.4.1</lookout.version>
         <bytebuddy.version>1.9.8</bytebuddy.version>
-        <sofa.registry.version>5.2.0</sofa.registry.version>
+        <sofa.registry.version>6.3.0</sofa.registry.version>
         <bolt.swagger.version>1.6.9</bolt.swagger.version>
         <asm.version>7.0</asm.version>
         <httpclient.version>4.5.13</httpclient.version>
         <httpcore.version>4.4.13</httpcore.version>
-        <grpc.version>1.33.1</grpc.version>
-        <guava.version>27.0-jre</guava.version>
+        <grpc.version>1.53.0</grpc.version>
+        <guava.version>32.0.0-jre</guava.version>
         <transmittable.version>2.12.1</transmittable.version>
     </properties>
 
@@ -183,6 +183,11 @@
             <artifactId>sofa-rpc-codec-jackson</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.alipay.sofa</groupId>
+            <artifactId>sofa-rpc-codec-sofa-fury</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.alipay.sofa</groupId>
             <artifactId>sofa-rpc-fault-tolerance</artifactId>
@@ -519,6 +524,7 @@
                                     <include>com.alipay.sofa:sofa-rpc-codec-jackson</include>
                                     <include>com.alipay.sofa:sofa-rpc-codec-msgpack</include>
                                     <include>com.alipay.sofa:sofa-rpc-codec-sofa-hessian</include>
+                                    <include>com.alipay.sofa:sofa-rpc-codec-sofa-fury</include>
                                     <include>com.alipay.sofa:sofa-rpc-fault-tolerance</include>
                                     <include>com.alipay.sofa:sofa-rpc-fault-hystrix</include>
                                     <include>com.alipay.sofa:sofa-rpc-log-common-tools</include>

diff --git a/bom/pom.xml b/bom/pom.xml
@@ -10,8 +10,8 @@
     <packaging>pom</packaging>
 
     <properties>
-        <revision>5.10.1</revision>
-        <javassist.version>3.28.0-GA</javassist.version>
+        <revision>5.11.1</revision>
+        <javassist.version>3.29.2-GA</javassist.version>
         <bytebuddy.version>1.9.8</bytebuddy.version>
         <netty.version>4.1.77.Final</netty.version>
         <!-- 3rd extends libs -->
@@ -20,25 +20,27 @@
         <jaxrs.api.version>1.0.2.Final</jaxrs.api.version>
         <cxf.version>3.4.10</cxf.version>
         <jetty.version>7.5.4.v20111024</jetty.version>
-        <curator.version>4.0.1</curator.version>
+        <zookeeper.version>3.5.7</zookeeper.version>
+        <curator.version>4.3.0</curator.version>
         <opentracing.version>0.22.0</opentracing.version>
-        <dubbo.version>2.6.9</dubbo.version>
+        <dubbo.version>3.1.8</dubbo.version>
         <nacos.version>2.0.3</nacos.version>
-        <sofa.registry.version>5.2.0</sofa.registry.version>
+        <sofa.registry.version>6.3.0</sofa.registry.version>
         <polaris.version>1.2.2</polaris.version>
         <swagger.version>1.6.9</swagger.version>
         <asm.version>7.0</asm.version>
-        <guava.version>27.0-jre</guava.version>
+        <guava.version>32.0.0-jre</guava.version>
         <prometheus.client.version>0.16.0</prometheus.client.version>
         <!-- serialization -->
-        <hessian.version>3.4.0</hessian.version>
+        <hessian.version>3.5.0</hessian.version>
         <thrift.version>0.9.2</thrift.version>
-        <protobuf.version>3.16.3</protobuf.version>
+        <protobuf.version>3.22.0</protobuf.version>
         <jackson.version>2.12.7</jackson.version>
         <jackson.databind.version>2.12.7.1</jackson.databind.version>
         <msgpack.version>0.6.12</msgpack.version>
         <protostuff.version>1.5.9</protostuff.version>
-        <grpc.version>1.33.1</grpc.version>
+        <fury.version>0.4.1</fury.version>
+        <grpc.version>1.53.0</grpc.version>
 
         <!--common-->
         <httpcore.version>4.4.13</httpcore.version>
@@ -51,7 +53,7 @@
         <!-- Test libs -->
         <junit.version>4.13.1</junit.version>
         <!-- alipay libs -->
-        <bolt.version>1.5.10</bolt.version>
+        <bolt.version>1.6.6</bolt.version>
         <sofa.common.tools.version>1.3.2</sofa.common.tools.version>
         <tracer.version>3.0.8</tracer.version>
         <lookout.version>1.4.1</lookout.version>
@@ -297,28 +299,49 @@
                 <artifactId>msgpack</artifactId>
                 <version>${msgpack.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.furyio</groupId>
+                <artifactId>fury-core</artifactId>
+                <version>${fury.version}</version>
+            </dependency>
             <!-- zk client -->
             <dependency>
                 <groupId>org.apache.curator</groupId>
-                <artifactId>curator-recipes</artifactId>
+                <artifactId>curator-framework</artifactId>
                 <version>${curator.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.apache.zookeeper</groupId>
+                        <artifactId>zookeeper</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <dependency>
                 <groupId>org.apache.curator</groupId>
-                <artifactId>curator-test</artifactId>
+                <artifactId>curator-x-discovery</artifactId>
                 <version>${curator.version}</version>
-                <scope>test</scope>
                 <exclusions>
                     <exclusion>
-                        <artifactId>zookeeper</artifactId>
                         <groupId>org.apache.zookeeper</groupId>
+                        <artifactId>zookeeper</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.zookeeper</groupId>
+                <artifactId>zookeeper</artifactId>
+                <version>${zookeeper.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>io.netty</groupId>
+                        <artifactId>netty</artifactId>
                     </exclusion>
                 </exclusions>
             </dependency>
 
             <!--dubbo-->
             <dependency>
-                <groupId>com.alibaba</groupId>
+                <groupId>org.apache.dubbo</groupId>
                 <artifactId>dubbo</artifactId>
                 <version>${dubbo.version}</version>
                 <exclusions>
@@ -492,6 +515,18 @@
             </dependency>
 
             <!-- Test libs -->
+            <dependency>
+                <groupId>org.apache.curator</groupId>
+                <artifactId>curator-test</artifactId>
+                <version>${curator.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.apache.zookeeper</groupId>
+                        <artifactId>zookeeper</artifactId>
+                    </exclusion>
+                </exclusions>
+                <scope>test</scope>
+            </dependency>
             <dependency>
                 <groupId>junit</groupId>
                 <artifactId>junit</artifactId>
@@ -514,7 +549,7 @@
             <dependency>
                 <groupId>io.netty</groupId>
                 <artifactId>netty-tcnative-boringssl-static</artifactId>
-                <version>2.0.25.Final</version>
+                <version>2.0.59.Final</version>
                 <classifier>${os.detected.classifier}</classifier>
             </dependency>
             <dependency>
@@ -557,6 +592,12 @@
                 <version>${prometheus.client.version}</version>
                 <scope>test</scope>
             </dependency>
+            <dependency>
+                <groupId>io.prometheus</groupId>
+                <artifactId>simpleclient_hotspot</artifactId>
+                <version>0.16.0</version>
+                <scope>test</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

diff --git a/bootstrap/bootstrap-dubbo/pom.xml b/bootstrap/bootstrap-dubbo/pom.xml
@@ -20,7 +20,7 @@
         </dependency>
 
         <dependency>
-            <groupId>com.alibaba</groupId>
+            <groupId>org.apache.dubbo</groupId>
             <artifactId>dubbo</artifactId>
         </dependency>
         <dependency>

diff --git a/...strap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConsumerBootstrap.java b/...strap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConsumerBootstrap.java
@@ -16,7 +16,7 @@
  */
 package com.alipay.sofa.rpc.bootstrap.dubbo;
 
-import com.alibaba.dubbo.config.ReferenceConfig;
+import org.apache.dubbo.config.ReferenceConfig;
 import com.alipay.sofa.rpc.bootstrap.ConsumerBootstrap;
 import com.alipay.sofa.rpc.client.Cluster;
 import com.alipay.sofa.rpc.client.ProviderGroup;
@@ -100,7 +100,7 @@ private void copyCommon(ConsumerConfig<T> consumerConfig, ReferenceConfig<T> ref
 
     private void copyApplication(ConsumerConfig<T> consumerConfig, ReferenceConfig<T> referenceConfig) {
         ApplicationConfig applicationConfig = consumerConfig.getApplication();
-        com.alibaba.dubbo.config.ApplicationConfig dubboConfig = new com.alibaba.dubbo.config.ApplicationConfig();
+        org.apache.dubbo.config.ApplicationConfig dubboConfig = new org.apache.dubbo.config.ApplicationConfig();
         dubboConfig.setName(applicationConfig.getAppName());
         referenceConfig.setApplication(dubboConfig);
     }
@@ -140,11 +140,10 @@ private void copyConsumer(ConsumerConfig<T> consumerConfig, ReferenceConfig<T> r
     private void copyMethods(ConsumerConfig<T> consumerConfig, ReferenceConfig<T> referenceConfig) {
         Map<String, MethodConfig> methodConfigs = consumerConfig.getMethods();
         if (CommonUtils.isNotEmpty(methodConfigs)) {
-            List<com.alibaba.dubbo.config.MethodConfig> dubboMethodConfigs =
-                    new ArrayList<com.alibaba.dubbo.config.MethodConfig>();
+            List<org.apache.dubbo.config.MethodConfig> dubboMethodConfigs = new ArrayList<>();
             for (Map.Entry<String, MethodConfig> entry : methodConfigs.entrySet()) {
                 MethodConfig methodConfig = entry.getValue();
-                com.alibaba.dubbo.config.MethodConfig dubboMethodConfig = new com.alibaba.dubbo.config.MethodConfig();
+                org.apache.dubbo.config.MethodConfig dubboMethodConfig = new org.apache.dubbo.config.MethodConfig();
                 dubboMethodConfig.setName(methodConfig.getName());
                 dubboMethodConfig.setParameters(methodConfig.getParameters());
                 dubboMethodConfig.setTimeout(methodConfig.getTimeout());

diff --git a/...rap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConvertor.java b/...rap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConvertor.java
@@ -29,19 +29,18 @@
 public class DubboConvertor {
 
     public static void copyRegistries(com.alipay.sofa.rpc.config.AbstractInterfaceConfig sofaConfig,
-                                      com.alibaba.dubbo.config.AbstractInterfaceConfig dubboConfig) {
+                                      org.apache.dubbo.config.AbstractInterfaceConfig dubboConfig) {
         List<RegistryConfig> registryConfigs = sofaConfig.getRegistry();
         if (CommonUtils.isNotEmpty(registryConfigs)) {
-            List<com.alibaba.dubbo.config.RegistryConfig> dubboRegistryConfigs =
-                    new ArrayList<com.alibaba.dubbo.config.RegistryConfig>();
+            List<org.apache.dubbo.config.RegistryConfig> dubboRegistryConfigs = new ArrayList<>();
             for (RegistryConfig registryConfig : registryConfigs) {
                 // 生成并丢到缓存里
-                com.alibaba.dubbo.config.RegistryConfig dubboRegistryConfig = DubboSingleton.REGISTRY_MAP
+                org.apache.dubbo.config.RegistryConfig dubboRegistryConfig = DubboSingleton.REGISTRY_MAP
                     .get(registryConfig);
                 if (dubboRegistryConfig == null) {
-                    dubboRegistryConfig = new com.alibaba.dubbo.config.RegistryConfig();
+                    dubboRegistryConfig = new org.apache.dubbo.config.RegistryConfig();
                     copyRegistryFields(registryConfig, dubboRegistryConfig);
-                    com.alibaba.dubbo.config.RegistryConfig old = DubboSingleton.REGISTRY_MAP.putIfAbsent(
+                    org.apache.dubbo.config.RegistryConfig old = DubboSingleton.REGISTRY_MAP.putIfAbsent(
                         registryConfig, dubboRegistryConfig);
                     if (old != null) {
                         dubboRegistryConfig = old;
@@ -58,7 +57,7 @@ public static void copyRegistries(com.alipay.sofa.rpc.config.AbstractInterfaceCo
     }
 
     public static void copyRegistryFields(com.alipay.sofa.rpc.config.RegistryConfig sofaRegistryConfig,
-                                          com.alibaba.dubbo.config.RegistryConfig dubboRegistryConfig) {
+                                          org.apache.dubbo.config.RegistryConfig dubboRegistryConfig) {
         dubboRegistryConfig.setAddress(sofaRegistryConfig.getAddress());
         dubboRegistryConfig.setProtocol(sofaRegistryConfig.getProtocol());
         dubboRegistryConfig.setRegister(sofaRegistryConfig.isRegister());

diff --git a/...strap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboProviderBootstrap.java b/...strap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboProviderBootstrap.java
@@ -16,8 +16,8 @@
  */
 package com.alipay.sofa.rpc.bootstrap.dubbo;
 
-import com.alibaba.dubbo.config.ProtocolConfig;
-import com.alibaba.dubbo.config.ServiceConfig;
+import org.apache.dubbo.config.ProtocolConfig;
+import org.apache.dubbo.config.ServiceConfig;
 import com.alipay.sofa.rpc.bootstrap.ProviderBootstrap;
 import com.alipay.sofa.rpc.common.RpcConstants;
 import com.alipay.sofa.rpc.common.Version;

diff --git a/...rap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboSingleton.java b/...rap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboSingleton.java
@@ -16,12 +16,12 @@
  */
 package com.alipay.sofa.rpc.bootstrap.dubbo;
 
-import com.alibaba.dubbo.config.DubboShutdownHook;
-import com.alibaba.dubbo.config.ProtocolConfig;
+import org.apache.dubbo.config.ProtocolConfig;
 import com.alipay.sofa.rpc.base.Destroyable;
 import com.alipay.sofa.rpc.config.RegistryConfig;
 import com.alipay.sofa.rpc.config.ServerConfig;
 import com.alipay.sofa.rpc.context.RpcRuntimeContext;
+import org.apache.dubbo.rpc.model.FrameworkModel;
 
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
@@ -50,17 +50,17 @@ public void postDestroy() {
     /**
      * sofa.SeverConfig --> dubbo.ProtocolConfig
      */
-    final static ConcurrentMap<ServerConfig, ProtocolConfig>                            SERVER_MAP   = new ConcurrentHashMap<ServerConfig, ProtocolConfig>();
+    final static ConcurrentMap<ServerConfig, ProtocolConfig>                           SERVER_MAP   = new ConcurrentHashMap<>();
 
     /**
      * sofa.RegistryConfig --> dubbo.RegistryConfig
      */
-    final static ConcurrentMap<RegistryConfig, com.alibaba.dubbo.config.RegistryConfig> REGISTRY_MAP = new ConcurrentHashMap<RegistryConfig, com.alibaba.dubbo.config.RegistryConfig>();
+    final static ConcurrentMap<RegistryConfig, org.apache.dubbo.config.RegistryConfig> REGISTRY_MAP = new ConcurrentHashMap<>();
 
     /**
      * Destroy all dubbo resources
      */
     public static void destroyAll() {
-        DubboShutdownHook.getDubboShutdownHook().destroyAll();
+        FrameworkModel.defaultModel().destroy();
     }
 }