From 94a045f766abf0fe5888b1305b897d48dfad4b65 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Fri, 10 Apr 2026 09:22:01 +0000
Subject: [PATCH] fix: address critical security vulnerabilities

- Remove unsafe JDK deserialization serializer (CWE-502, RCE risk)
- Replace arbitrary Class.forName().newInstance() with allowlist validation (CWE-470)
- Remove debug main() methods from production classes (MsgId, MsgIdGenerator, Score)
- Remove debug print() methods from production ScriptHelper classes
- Pin JUnit dependency to 4.13.2 (was RELEASE - non-reproducible builds)
- Add null-safety check for @MessageHandlerBind annotation in ItQueueAutoConfig
- Log swallowed SecurityException/Exception in ProcessID instead of silently ignoring
- Update test files to use System.out.println after removing print() helpers

Co-Authored-By: kenlin <kenlin8827@gmail.com>
---
 pom.xml                                       |  2 +-
 .../ithamal/queue/boot/ItQueueAutoConfig.java |  3 +++
 .../github/ithamal/queue/sequence/MsgId.java  | 12 ---------
 .../queue/sequence/MsgIdGenerator.java        |  9 -------
 .../ithamal/queue/sequence/ProcessID.java     |  9 +++++--
 .../github/ithamal/queue/sequence/Score.java  | 26 -------------------
 .../support/redis/RedisSerializerFactory.java | 18 ++++++-------
 .../redis/list/RedisListScriptHelper.java     | 14 ----------
 .../redis/zset/RedisZSetScriptHelper.java     | 14 ----------
 .../list/RedisListScriptHelperTests.java      |  2 +-
 .../zset/RedisZSetScriptHelperTests.java      |  4 +--
 11 files changed, 23 insertions(+), 90 deletions(-)

diff --git a/pom.xml b/pom.xml
index 5a76e11..96b56f2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,7 +83,7 @@
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>RELEASE</version>
+            <version>4.13.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
diff --git a/src/main/java/io/github/ithamal/queue/boot/ItQueueAutoConfig.java b/src/main/java/io/github/ithamal/queue/boot/ItQueueAutoConfig.java
index 74a4b80..fbc3abd 100644
--- a/src/main/java/io/github/ithamal/queue/boot/ItQueueAutoConfig.java
+++ b/src/main/java/io/github/ithamal/queue/boot/ItQueueAutoConfig.java
@@ -103,6 +103,9 @@ public ConsumersContainerLifecycle consumersContainer(ConsumerManager consumerMa
         ConsumersContainer consumersContainer = consumersContainerLifecycle.getConsumerServer();
         for (MessageHandler<?> handler : messageHandlerProvider.getHandlers()) {
             MessageHandlerBind annotation = getHandlerAnnotation(handler);
+            if (annotation == null) {
+                continue;
+            }
             for (String pattern : annotation.value()) {
                 List<ConsumerGroup> consumerGroups = consumerManager.findConsumers(pattern);
                 for (ConsumerGroup consumerGroup : consumerGroups) {
diff --git a/src/main/java/io/github/ithamal/queue/sequence/MsgId.java b/src/main/java/io/github/ithamal/queue/sequence/MsgId.java
index 54dce08..d43360f 100644
--- a/src/main/java/io/github/ithamal/queue/sequence/MsgId.java
+++ b/src/main/java/io/github/ithamal/queue/sequence/MsgId.java
@@ -4,7 +4,6 @@
 
 import java.io.Serializable;
 import java.nio.ByteBuffer;
-import java.text.SimpleDateFormat;
 import java.util.Calendar;
 import java.util.Date;
 
@@ -83,16 +82,5 @@ public long getValue() {
     public String toString() {
         return String.valueOf(value);
     }
-
-    public static void main(String[] args) {
-        System.out.println();
-        long value = toLong(23,12, 31, 23, 59, 59, 16383, 0x7ffffff - 16383);
-//        long value = toLong(22,10, 18, 10, 11, 12, 16383, 0x7ffffff - 16383);
-        value = create(16383, 0x7ffffff - 16383).getValue();
-        System.out.println(value);
-        System.out.println(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new MsgId(value).getTime()));
-    }
-
-
 }
 
diff --git a/src/main/java/io/github/ithamal/queue/sequence/MsgIdGenerator.java b/src/main/java/io/github/ithamal/queue/sequence/MsgIdGenerator.java
index 490a524..327e8b4 100644
--- a/src/main/java/io/github/ithamal/queue/sequence/MsgIdGenerator.java
+++ b/src/main/java/io/github/ithamal/queue/sequence/MsgIdGenerator.java
@@ -24,13 +24,4 @@ public MsgId create() {
         int sequenceVal = sequenceNumber.next();
         return MsgId.fromTimestamp(timeMillis, nodeId, sequenceVal);
     }
-
-    public static void main(String[] args) {
-        SequenceNumber sequenceNumber = new SimpleSequenceNumber(0);
-        MsgIdGenerator generator = new MsgIdGenerator(0, sequenceNumber);
-        for (int i = 0; i < 1000; i++) {
-            System.out.println(generator.create().getValue());
-//            System.out.println(Long.toUnsignedString(generator.create().getValue()));
-        }
-    }
 }
diff --git a/src/main/java/io/github/ithamal/queue/sequence/ProcessID.java b/src/main/java/io/github/ithamal/queue/sequence/ProcessID.java
index 1d6fb73..7b0f8c0 100644
--- a/src/main/java/io/github/ithamal/queue/sequence/ProcessID.java
+++ b/src/main/java/io/github/ithamal/queue/sequence/ProcessID.java
@@ -1,5 +1,7 @@
 package io.github.ithamal.queue.sequence;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.util.StringUtils;
 
 import java.lang.management.ManagementFactory;
@@ -8,6 +10,8 @@
 
 public class ProcessID {
 
+    private static final Logger logger = LoggerFactory.getLogger(ProcessID.class);
+
     private static int processId;
 
     static {
@@ -26,6 +30,7 @@ public String run() {
                 });
             }
         } catch (SecurityException e) {
+            logger.warn("SecurityManager denied access to system property '{}'", propertiesName, e);
         }
         //没有配置gateid就取程序进程号
         if(!StringUtils.hasText(value)) {
@@ -36,9 +41,9 @@ public String run() {
         }
 
         try{
-            processId = Integer.valueOf(value);
+            processId = Integer.parseInt(value);
         }catch(Exception e){
-
+            logger.warn("Failed to parse process ID from value '{}'", value, e);
         }
     }
 
diff --git a/src/main/java/io/github/ithamal/queue/sequence/Score.java b/src/main/java/io/github/ithamal/queue/sequence/Score.java
index a3a1e7e..51ef4c9 100644
--- a/src/main/java/io/github/ithamal/queue/sequence/Score.java
+++ b/src/main/java/io/github/ithamal/queue/sequence/Score.java
@@ -2,7 +2,6 @@
 
 import java.io.Serializable;
 import java.nio.ByteBuffer;
-import java.text.SimpleDateFormat;
 import java.util.Calendar;
 import java.util.Date;
 
@@ -97,30 +96,5 @@ public long getLongValue() {
     public String toString() {
         return String.valueOf(value);
     }
-
-    public static void main(String[] args) throws InterruptedException {
-        // 127
-        double before = 0;
-        for (int year = 23; year <= 23; year++) {
-            double value = toDouble(year, 12, 31, 23, 59, 59, 16383, 0x7ffffff - 16383);
-            System.out.println(value);
-            double current = value;
-            if (current <= before) {
-                System.out.println("异常:" + current + "," + before);
-            }
-            System.out.println(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Score(value).getTime()));
-        }
-        for (int i = 0; i < 1000000; i++) {
-            double current = Score.create(1, i).getDoubleValue();
-            if (current <= before) {
-                System.out.println("异常:" + current + "," + before);
-            }
-//            System.out.println(current);
-            before = current;
-        }
-        System.out.println("完成");
-    }
-
-
 }
 
diff --git a/src/main/java/io/github/ithamal/queue/support/redis/RedisSerializerFactory.java b/src/main/java/io/github/ithamal/queue/support/redis/RedisSerializerFactory.java
index a0badd8..2113f41 100644
--- a/src/main/java/io/github/ithamal/queue/support/redis/RedisSerializerFactory.java
+++ b/src/main/java/io/github/ithamal/queue/support/redis/RedisSerializerFactory.java
@@ -1,10 +1,12 @@
 package io.github.ithamal.queue.support.redis;
 
 import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer;
-import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
 import org.springframework.data.redis.serializer.RedisSerializer;
 import org.springframework.data.redis.serializer.StringRedisSerializer;
 
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
 /**
@@ -15,23 +17,21 @@ public class RedisSerializerFactory {
 
     private final static ConcurrentHashMap<String, RedisSerializer<?>> serializerMap = new ConcurrentHashMap<>();
 
+    private static final Set<String> ALLOWED_SERIALIZERS = new HashSet<>(Arrays.asList("string", "json"));
+
     public static RedisSerializer getSerializer(String name) {
         return serializerMap.computeIfAbsent(name, key -> {
-            if (name.equals("jdk")) {
-                return new JdkSerializationRedisSerializer();
-            }
             if (name.equals("string")) {
                 return new StringRedisSerializer();
             }
             if (name.equals("json")) {
                 return new GenericJackson2JsonRedisSerializer();
             }
-            try {
-                return (RedisSerializer<?>) Class.forName(name).newInstance();
-            } catch (Throwable e) {
-                // serialize class "x" load failed, didn't supported
-                throw new RuntimeException("The serialize class '"+ name +"' failed to load as it's not supported");
+            if (!ALLOWED_SERIALIZERS.contains(name)) {
+                throw new IllegalArgumentException(
+                    "Unsupported serializer '" + name + "'. Allowed values: " + ALLOWED_SERIALIZERS);
             }
+            throw new IllegalArgumentException("Unsupported serializer '" + name + "'");
         });
     }
 }
diff --git a/src/main/java/io/github/ithamal/queue/support/redis/list/RedisListScriptHelper.java b/src/main/java/io/github/ithamal/queue/support/redis/list/RedisListScriptHelper.java
index 77c90e4..d6c418c 100644
--- a/src/main/java/io/github/ithamal/queue/support/redis/list/RedisListScriptHelper.java
+++ b/src/main/java/io/github/ithamal/queue/support/redis/list/RedisListScriptHelper.java
@@ -87,18 +87,4 @@ public static long ack(RedisConnectionFactory connectionFactory,
             return connection.eval(script, ReturnType.INTEGER, 7, keysAndArgs.toArray(new byte[0][]));
         }
     }
-
-    public static void print(Object result) {
-        if (result instanceof List) {
-            for (Object o : ((List) result)) {
-                if (o instanceof byte[]) {
-                    System.out.println(new String((byte[]) o));
-                } else {
-                    System.out.println(result);
-                }
-            }
-        } else {
-            System.out.println(result);
-        }
-    }
 }
diff --git a/src/main/java/io/github/ithamal/queue/support/redis/zset/RedisZSetScriptHelper.java b/src/main/java/io/github/ithamal/queue/support/redis/zset/RedisZSetScriptHelper.java
index db05eaa..1bd2acb 100644
--- a/src/main/java/io/github/ithamal/queue/support/redis/zset/RedisZSetScriptHelper.java
+++ b/src/main/java/io/github/ithamal/queue/support/redis/zset/RedisZSetScriptHelper.java
@@ -104,18 +104,4 @@ public static long ack(RedisConnectionFactory connectionFactory,
             return connection.eval(script, ReturnType.INTEGER, 7, keysAndArgs.toArray(new byte[0][]));
         }
     }
-
-    public static void print(Object result) {
-        if (result instanceof List) {
-            for (Object o : ((List) result)) {
-                if (o instanceof byte[]) {
-                    System.out.println(new String((byte[]) o));
-                } else {
-                    System.out.println(result);
-                }
-            }
-        } else {
-            System.out.println(result);
-        }
-    }
 }
diff --git a/src/test/java/io/github/ithamal/queue/redis/list/RedisListScriptHelperTests.java b/src/test/java/io/github/ithamal/queue/redis/list/RedisListScriptHelperTests.java
index 1b006de..dcd5fb4 100644
--- a/src/test/java/io/github/ithamal/queue/redis/list/RedisListScriptHelperTests.java
+++ b/src/test/java/io/github/ithamal/queue/redis/list/RedisListScriptHelperTests.java
@@ -23,7 +23,7 @@ public void testPut() {
         LettuceConnectionFactory connectionFactory = createConnectionFactory();
         RedisQueueKeysBuilder keysBuilder = new RedisQueueKeysBuilder("mq:", "test");
         for (int i = 0; i < 10; i++) {
-            RedisListScriptHelper.print(RedisListScriptHelper.put(connectionFactory, keysBuilder,
+            System.out.println(RedisListScriptHelper.put(connectionFactory, keysBuilder,
                     String.valueOf(i).getBytes(), ("a" + i).getBytes()));
         }
     }
diff --git a/src/test/java/io/github/ithamal/queue/redis/zset/RedisZSetScriptHelperTests.java b/src/test/java/io/github/ithamal/queue/redis/zset/RedisZSetScriptHelperTests.java
index cf238e7..1362eee 100644
--- a/src/test/java/io/github/ithamal/queue/redis/zset/RedisZSetScriptHelperTests.java
+++ b/src/test/java/io/github/ithamal/queue/redis/zset/RedisZSetScriptHelperTests.java
@@ -23,7 +23,7 @@ public void testSequenceId() {
         LettuceConnectionFactory connectionFactory = createConnectionFactory();
         RedisQueueKeysBuilder keysBuilder = new RedisQueueKeysBuilder("mq:", "test");
         for (int i = 0; i < 10; i++) {
-            RedisZSetScriptHelper.print(RedisZSetScriptHelper.generateSequenceId(connectionFactory, keysBuilder, "a", 60));
+            System.out.println(RedisZSetScriptHelper.generateSequenceId(connectionFactory, keysBuilder, "a", 60));
         }
     }
 
@@ -32,7 +32,7 @@ public void testPut() {
         LettuceConnectionFactory connectionFactory = createConnectionFactory();
         RedisQueueKeysBuilder keysBuilder = new RedisQueueKeysBuilder("mq:", "test");
         for (int i = 0; i < 10; i++) {
-            RedisZSetScriptHelper.print(RedisZSetScriptHelper.put(connectionFactory, keysBuilder,
+            System.out.println(RedisZSetScriptHelper.put(connectionFactory, keysBuilder,
                     String.valueOf(i).getBytes(), ("a" + i).getBytes()));
         }
     }