root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Polish contribution 

See gh-28075
This commit is contained in:
Sam Brannen 2022-03-29 13:39:40 +02:00
parent 7f7fb58dd0
commit c8d0146bcc
3 changed files with 32 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java vendored
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.

28
spring-core/src/main/java/org/springframework/util/SerializationUtils.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -26,9 +26,17 @@ import java.io.Serializable;
import org.springframework.lang.Nullable; import org.springframework.lang.Nullable;
/** /**
* Static utilities for serialization and deserialization. * Static utilities for serialization and deserialization using
* <a href="https://docs.oracle.com/en/java/javase/17/docs/specs/serialization/"
* target="_blank">Java Object Serialization</a>.
*
* <p>These utilities should be used with caution. See
* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
* target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
* for details.
* *
* @author Dave Syer * @author Dave Syer
* @author Loïc Ledoyen
* @since 3.0.5 * @since 3.0.5
*/ */
public abstract class SerializationUtils { public abstract class SerializationUtils {
@ -58,13 +66,14 @@ public abstract class SerializationUtils {
* Deserialize the byte array into an object. * Deserialize the byte array into an object.
* @param bytes a serialized object * @param bytes a serialized object
* @return the result of deserializing the bytes * @return the result of deserializing the bytes
* @deprecated This utility uses Java's reflection, which allows arbitrary code to be * @deprecated This utility uses Java Object Serialization, which allows
* run and is known for being the source of many Remote Code Execution vulnerabilities. * arbitrary code to be run and is known for being the source of many Remote
* <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format) * Code Execution (RCE) vulnerabilities.
* which is regularly checked and updated for not allowing RCE. * <p>Prefer the use of an external tool (that serializes to JSON, XML, or
* any other format) which is regularly checked and updated for not allowing RCE.
*/ */
@Nullable
@Deprecated @Deprecated
@Nullable
public static Object deserialize(@Nullable byte[] bytes) { public static Object deserialize(@Nullable byte[] bytes) {
if (bytes == null) { if (bytes == null) {
return null; return null;
@ -81,14 +90,15 @@ public abstract class SerializationUtils {
} }
/** /**
* Clone the given object using Java's serialization. * Clone the given object using Java Object Serialization.
* @param object the object to clone * @param object the object to clone
* @param <T> the type of the object to clone * @param <T> the type of the object to clone
* @return a clone (deep-copy) of the given object * @return a clone (deep-copy) of the given object
* @since 6.0.0 * @since 6.0
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public static <T extends Serializable> T clone(T object) { public static <T extends Serializable> T clone(T object) {
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object)); return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
} }
} }

19
spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -38,32 +38,36 @@ class SerializationUtilsTests {
@Test @Test
void serializeCycleSunnyDay() throws Exception { @SuppressWarnings("deprecation")
void serializeCycleSunnyDay() {
assertThat(SerializationUtils.deserialize(SerializationUtils.serialize("foo"))).isEqualTo("foo"); assertThat(SerializationUtils.deserialize(SerializationUtils.serialize("foo"))).isEqualTo("foo");
} }
@Test @Test
void deserializeUndefined() throws Exception { @SuppressWarnings("deprecation")
void deserializeUndefined() {
assertThatIllegalStateException().isThrownBy(() -> SerializationUtils.deserialize(FOO.toByteArray())); assertThatIllegalStateException().isThrownBy(() -> SerializationUtils.deserialize(FOO.toByteArray()));
} }
@Test @Test
void serializeNonSerializable() throws Exception { void serializeNonSerializable() {
assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.serialize(new Object())); assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.serialize(new Object()));
} }
@Test @Test
void deserializeNonSerializable() throws Exception { @SuppressWarnings("deprecation")
void deserializeNonSerializable() {
assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.deserialize("foo".getBytes())); assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.deserialize("foo".getBytes()));
} }
@Test @Test
void serializeNull() throws Exception { void serializeNull() {
assertThat(SerializationUtils.serialize(null)).isNull(); assertThat(SerializationUtils.serialize(null)).isNull();
} }
@Test @Test
void deserializeNull() throws Exception { @SuppressWarnings("deprecation")
void deserializeNull() {
assertThat(SerializationUtils.deserialize(null)).isNull(); assertThat(SerializationUtils.deserialize(null)).isNull();
} }
@ -72,4 +76,5 @@ class SerializationUtilsTests {
IllegalArgumentException ex = new IllegalArgumentException("foo"); IllegalArgumentException ex = new IllegalArgumentException("foo");
assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex); assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
} }
} }