Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate SerializationUtils#deserialize #28075

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ private static CacheOperationInvoker.ThrowableWrapper rewriteCallStack(
@Nullable
private static <T extends Throwable> T cloneException(T exception) {
try {
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(exception));
return SerializationUtils.clone(exception);
}
catch (Exception ex) {
return null; // exception parameter cannot be cloned
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;

import org.springframework.lang.Nullable;

Expand Down Expand Up @@ -57,8 +58,13 @@ public static byte[] serialize(@Nullable Object object) {
* Deserialize the byte array into an object.
* @param bytes a serialized object
* @return the result of deserializing the bytes
* @deprecated This utility uses Java's reflection, which allows arbitrary code to be
* run and is known for being the source of many Remote Code Execution vulnerabilities.
* <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format)
* which is regularly checked and updated for not allowing RCE.
*/
@Nullable
@Deprecated
public static Object deserialize(@Nullable byte[] bytes) {
if (bytes == null) {
return null;
Expand All @@ -74,4 +80,15 @@ public static Object deserialize(@Nullable byte[] bytes) {
}
}

/**
* Clone the given object using Java's serialization.
* @param object the object to clone
* @param <T> the type of the object to clone
* @return a clone (deep-copy) of the given object
* @since 6.0.0
*/
@SuppressWarnings("unchecked")
public static <T extends Serializable> T clone(T object) {
return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -67,4 +67,9 @@ void deserializeNull() throws Exception {
assertThat(SerializationUtils.deserialize(null)).isNull();
}

@Test
void cloneException() {
IllegalArgumentException ex = new IllegalArgumentException("foo");
assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
}
}