From 2973ada2ee6a8bb30cd2586e1341d916b73be12e Mon Sep 17 00:00:00 2001
From: Ramon Nogueira <ramon@stripe.com>
Date: Mon, 19 Apr 2021 12:59:10 -0700
Subject: [PATCH] Fix #1190 by marking RequestOptions transient

Also try to prevent similar problems in the future by checking that
we only use the reflection-based type adapter for classes in `com.stripe.`.
---
 .../com/stripe/model/StripeCollection.java    |  2 +-
 ...ApiResourceTypeAdapterFactoryProvider.java |  1 +
 .../ReflectionCheckingTypeAdapterFactory.java | 26 +++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/com/stripe/net/ReflectionCheckingTypeAdapterFactory.java

diff --git a/src/main/java/com/stripe/model/StripeCollection.java b/src/main/java/com/stripe/model/StripeCollection.java
index 87865083b21..d592d4aa0c9 100644
--- a/src/main/java/com/stripe/model/StripeCollection.java
+++ b/src/main/java/com/stripe/model/StripeCollection.java
@@ -50,7 +50,7 @@ public abstract class StripeCollection<T extends HasId> extends StripeObject
 
   @Getter(onMethod_ = {@Override})
   @Setter(onMethod = @__({@Override}))
-  private RequestOptions requestOptions;
+  private transient RequestOptions requestOptions;
 
   @Getter(onMethod_ = {@Override})
   @Setter(onMethod = @__({@Override}))
diff --git a/src/main/java/com/stripe/net/ApiResourceTypeAdapterFactoryProvider.java b/src/main/java/com/stripe/net/ApiResourceTypeAdapterFactoryProvider.java
index dd8cada57e5..16076c6e931 100644
--- a/src/main/java/com/stripe/net/ApiResourceTypeAdapterFactoryProvider.java
+++ b/src/main/java/com/stripe/net/ApiResourceTypeAdapterFactoryProvider.java
@@ -18,6 +18,7 @@ final class ApiResourceTypeAdapterFactoryProvider {
     factories.add(new BalanceTransactionSourceTypeAdapterFactory());
     factories.add(new ExternalAccountTypeAdapterFactory());
     factories.add(new PaymentSourceTypeAdapterFactory());
+    factories.add(new ReflectionCheckingTypeAdapterFactory());
   }
 
   public static List<TypeAdapterFactory> getAll() {
diff --git a/src/main/java/com/stripe/net/ReflectionCheckingTypeAdapterFactory.java b/src/main/java/com/stripe/net/ReflectionCheckingTypeAdapterFactory.java
new file mode 100644
index 00000000000..c55e3c5c0b5
--- /dev/null
+++ b/src/main/java/com/stripe/net/ReflectionCheckingTypeAdapterFactory.java
@@ -0,0 +1,26 @@
+package com.stripe.net;
+
+import com.google.gson.Gson;
+import com.google.gson.TypeAdapter;
+import com.google.gson.TypeAdapterFactory;
+import com.google.gson.internal.bind.ReflectiveTypeAdapterFactory;
+import com.google.gson.reflect.TypeToken;
+
+/**
+ * {@link TypeAdapterFactory} that checks that we don't use {@link ReflectiveTypeAdapterFactory} accidentally
+ * for classes outside {@code com.stripe} packages. This usually happens when we forget to mark a field
+ * {@code transient}.
+ */
+class ReflectionCheckingTypeAdapterFactory implements TypeAdapterFactory {
+  @Override
+  public <T> TypeAdapter<T> create(Gson gson, TypeToken<T> type) {
+    if (!type.getType().getTypeName().startsWith("com.stripe.")) {
+      TypeAdapter<T> adapter = gson.getDelegateAdapter(this, type);
+      if (adapter instanceof ReflectiveTypeAdapterFactory.Adapter) {
+        throw new IllegalArgumentException(
+            "Refusing to create type reflection-based type adapter for external class: " + type);
+      }
+    }
+    return null;
+  }
+}