GitHub-Spring
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Polish contribution 

See gh-28075
pull/28254/head
Sam Brannen 4 years ago
parent
7f7fb58dd0
commit
c8d0146bcc
3 changed files with 32 additions and 17 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java
  2. 28
      spring-core/src/main/java/org/springframework/util/SerializationUtils.java
  3. 19
      spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java

2
spring-context-support/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java vendored
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.

28
spring-core/src/main/java/org/springframework/util/SerializationUtils.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -26,9 +26,17 @@ import java.io.Serializable;
import org.springframework.lang.Nullable; import org.springframework.lang.Nullable;
/** /**
* Static utilities for serialization and deserialization. * Static utilities for serialization and deserialization using
* <a href="https://docs.oracle.com/en/java/javase/17/docs/specs/serialization/"
* target="_blank">Java Object Serialization</a>.
*
* <p>These utilities should be used with caution. See
* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
* target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
* for details.
* *
* @author Dave Syer * @author Dave Syer
* @author Loïc Ledoyen
* @since 3.0.5 * @since 3.0.5
*/ */
public abstract class SerializationUtils { public abstract class SerializationUtils {
@ -58,13 +66,14 @@ public abstract class SerializationUtils {
* Deserialize the byte array into an object. * Deserialize the byte array into an object.
* @param bytes a serialized object * @param bytes a serialized object
* @return the result of deserializing the bytes * @return the result of deserializing the bytes
* @deprecated This utility uses Java's reflection, which allows arbitrary code to be * @deprecated This utility uses Java Object Serialization, which allows
* run and is known for being the source of many Remote Code Execution vulnerabilities. * arbitrary code to be run and is known for being the source of many Remote
* <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format) * Code Execution (RCE) vulnerabilities.
* which is regularly checked and updated for not allowing RCE. * <p>Prefer the use of an external tool (that serializes to JSON, XML, or
* any other format) which is regularly checked and updated for not allowing RCE.
*/ */
@Nullable
@Deprecated @Deprecated
@Nullable
public static Object deserialize(@Nullable byte[] bytes) { public static Object deserialize(@Nullable byte[] bytes) {
if (bytes == null) { if (bytes == null) {
return null; return null;
@ -81,14 +90,15 @@ public abstract class SerializationUtils {
} }
/** /**
* Clone the given object using Java's serialization. * Clone the given object using Java Object Serialization.
* @param object the object to clone * @param object the object to clone
* @param <T> the type of the object to clone * @param <T> the type of the object to clone
* @return a clone (deep-copy) of the given object * @return a clone (deep-copy) of the given object
* @since 6.0.0 * @since 6.0
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public static <T extends Serializable> T clone(T object) { public static <T extends Serializable> T clone(T object) {
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object)); return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
} }
} }

19
spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -38,32 +38,36 @@ class SerializationUtilsTests {
@Test @Test
void serializeCycleSunnyDay() throws Exception { @SuppressWarnings("deprecation")
void serializeCycleSunnyDay() {
assertThat(SerializationUtils.deserialize(SerializationUtils.serialize("foo"))).isEqualTo("foo"); assertThat(SerializationUtils.deserialize(SerializationUtils.serialize("foo"))).isEqualTo("foo");
} }
@Test @Test
void deserializeUndefined() throws Exception { @SuppressWarnings("deprecation")
void deserializeUndefined() {
assertThatIllegalStateException().isThrownBy(() -> SerializationUtils.deserialize(FOO.toByteArray())); assertThatIllegalStateException().isThrownBy(() -> SerializationUtils.deserialize(FOO.toByteArray()));
} }
@Test @Test
void serializeNonSerializable() throws Exception { void serializeNonSerializable() {
assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.serialize(new Object())); assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.serialize(new Object()));
} }
@Test @Test
void deserializeNonSerializable() throws Exception { @SuppressWarnings("deprecation")
void deserializeNonSerializable() {
assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.deserialize("foo".getBytes())); assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.deserialize("foo".getBytes()));
} }
@Test @Test
void serializeNull() throws Exception { void serializeNull() {
assertThat(SerializationUtils.serialize(null)).isNull(); assertThat(SerializationUtils.serialize(null)).isNull();
} }
@Test @Test
void deserializeNull() throws Exception { @SuppressWarnings("deprecation")
void deserializeNull() {
assertThat(SerializationUtils.deserialize(null)).isNull(); assertThat(SerializationUtils.deserialize(null)).isNull();
} }
@ -72,4 +76,5 @@ class SerializationUtilsTests {
IllegalArgumentException ex = new IllegalArgumentException("foo"); IllegalArgumentException ex = new IllegalArgumentException("foo");
assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex); assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
} }
} }

Write Preview
Loading…
Cancel
Save