From bf9dea42549fa104887f8fa777a0e851434c984e Mon Sep 17 00:00:00 2001 From: Phillip Webb Date: Wed, 27 Mar 2019 13:48:51 -0700 Subject: [PATCH] Defensively copy array returned from TypeDescriptor Update the internal proxy used in `TypeDescriptor` so that it returns a cloned array for calls to `getDeclaredAnnotations` or `getAnnotations`. Closes gh-22695 --- .../org/springframework/core/convert/TypeDescriptor.java | 2 +- .../core/convert/TypeDescriptorTests.java | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/spring-core/src/main/java/org/springframework/core/convert/TypeDescriptor.java b/spring-core/src/main/java/org/springframework/core/convert/TypeDescriptor.java index a5d15557308..7cf5caf9eb0 100644 --- a/spring-core/src/main/java/org/springframework/core/convert/TypeDescriptor.java +++ b/spring-core/src/main/java/org/springframework/core/convert/TypeDescriptor.java @@ -765,7 +765,7 @@ public class TypeDescriptor implements Serializable { @Override public Annotation[] getAnnotations() { - return (this.annotations != null ? this.annotations : EMPTY_ANNOTATION_ARRAY); + return (this.annotations != null ? this.annotations.clone() : EMPTY_ANNOTATION_ARRAY); } @Override diff --git a/spring-core/src/test/java/org/springframework/core/convert/TypeDescriptorTests.java b/spring-core/src/test/java/org/springframework/core/convert/TypeDescriptorTests.java index f657394bfd2..86c74491c28 100644 --- a/spring-core/src/test/java/org/springframework/core/convert/TypeDescriptorTests.java +++ b/spring-core/src/test/java/org/springframework/core/convert/TypeDescriptorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -168,6 +168,13 @@ public class TypeDescriptorTests { assertEquals(123, t1.getAnnotation(ParameterAnnotation.class).value()); } + @Test + public void getAnnotationsReturnsClonedArray() throws Exception { + TypeDescriptor t = new TypeDescriptor(new MethodParameter(getClass().getMethod("testAnnotatedMethod", String.class), 0)); + t.getAnnotations()[0] = null; + assertNotNull(t.getAnnotations()[0]); + } + @Test public void propertyComplex() throws Exception { Property property = new Property(getClass(), getClass().getMethod("getComplexProperty"),