Sam Brannen
parent
7f7fb58dd0
commit
c8d0146bcc
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -26,9 +26,17 @@ import java.io.Serializable;
|
|||
import org.springframework.lang.Nullable;
|
||||
|
||||
/**
|
||||
* Static utilities for serialization and deserialization.
|
||||
* Static utilities for serialization and deserialization using
|
||||
* <a href="https://docs.oracle.com/en/java/javase/17/docs/specs/serialization/"
|
||||
* target="_blank">Java Object Serialization</a>.
|
||||
*
|
||||
* <p>These utilities should be used with caution. See
|
||||
* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
|
||||
* target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
|
||||
* for details.
|
||||
*
|
||||
* @author Dave Syer
|
||||
* @author Loïc Ledoyen
|
||||
* @since 3.0.5
|
||||
*/
|
||||
public abstract class SerializationUtils {
|
||||
|
|
@ -58,13 +66,14 @@ public abstract class SerializationUtils {
|
|||
* Deserialize the byte array into an object.
|
||||
* @param bytes a serialized object
|
||||
* @return the result of deserializing the bytes
|
||||
* @deprecated This utility uses Java's reflection, which allows arbitrary code to be
|
||||
* run and is known for being the source of many Remote Code Execution vulnerabilities.
|
||||
* <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format)
|
||||
* which is regularly checked and updated for not allowing RCE.
|
||||
* @deprecated This utility uses Java Object Serialization, which allows
|
||||
* arbitrary code to be run and is known for being the source of many Remote
|
||||
* Code Execution (RCE) vulnerabilities.
|
||||
* <p>Prefer the use of an external tool (that serializes to JSON, XML, or
|
||||
* any other format) which is regularly checked and updated for not allowing RCE.
|
||||
*/
|
||||
@Nullable
|
||||
@Deprecated
|
||||
@Nullable
|
||||
public static Object deserialize(@Nullable byte[] bytes) {
|
||||
if (bytes == null) {
|
||||
return null;
|
||||
|
|
@ -81,14 +90,15 @@ public abstract class SerializationUtils {
|
|||
}
|
||||
|
||||
/**
|
||||
* Clone the given object using Java's serialization.
|
||||
* Clone the given object using Java Object Serialization.
|
||||
* @param object the object to clone
|
||||
* @param <T> the type of the object to clone
|
||||
* @return a clone (deep-copy) of the given object
|
||||
* @since 6.0.0
|
||||
* @since 6.0
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public static <T extends Serializable> T clone(T object) {
|
||||
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -38,32 +38,36 @@ class SerializationUtilsTests {
|
|||
|
||||
|
||||
@Test
|
||||
void serializeCycleSunnyDay() throws Exception {
|
||||
@SuppressWarnings("deprecation")
|
||||
void serializeCycleSunnyDay() {
|
||||
assertThat(SerializationUtils.deserialize(SerializationUtils.serialize("foo"))).isEqualTo("foo");
|
||||
}
|
||||
|
||||
@Test
|
||||
void deserializeUndefined() throws Exception {
|
||||
@SuppressWarnings("deprecation")
|
||||
void deserializeUndefined() {
|
||||
assertThatIllegalStateException().isThrownBy(() -> SerializationUtils.deserialize(FOO.toByteArray()));
|
||||
}
|
||||
|
||||
@Test
|
||||
void serializeNonSerializable() throws Exception {
|
||||
void serializeNonSerializable() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.serialize(new Object()));
|
||||
}
|
||||
|
||||
@Test
|
||||
void deserializeNonSerializable() throws Exception {
|
||||
@SuppressWarnings("deprecation")
|
||||
void deserializeNonSerializable() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.deserialize("foo".getBytes()));
|
||||
}
|
||||
|
||||
@Test
|
||||
void serializeNull() throws Exception {
|
||||
void serializeNull() {
|
||||
assertThat(SerializationUtils.serialize(null)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
void deserializeNull() throws Exception {
|
||||
@SuppressWarnings("deprecation")
|
||||
void deserializeNull() {
|
||||
assertThat(SerializationUtils.deserialize(null)).isNull();
|
||||
}
|
||||
|
||||
|
|
@ -72,4 +76,5 @@ class SerializationUtilsTests {
|
|||
IllegalArgumentException ex = new IllegalArgumentException("foo");
|
||||
assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue