Polish contribution

See spring-projectsgh-28075
sbrannen · Mar 29, 2022 · c8d0146 · c8d0146
1 parent 7f7fb58
commit c8d0146
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 17 deletions.
diff --git a/...rt/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java b/...rt/src/main/java/org/springframework/cache/jcache/interceptor/CacheResultInterceptor.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,9 +26,17 @@
 import org.springframework.lang.Nullable;
 
 /**
- * Static utilities for serialization and deserialization.
+ * Static utilities for serialization and deserialization using
+ * <a href="https://docs.oracle.com/en/java/javase/17/docs/specs/serialization/"
+ * target="_blank">Java Object Serialization</a>.
+ *
+ * <p>These utilities should be used with caution. See
+ * <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
+ * target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
+ * for details.
  *
  * @author Dave Syer
+ * @author Loïc Ledoyen
  * @since 3.0.5
  */
 public abstract class SerializationUtils {
@@ -58,13 +66,14 @@ public static byte[] serialize(@Nullable Object object) {
 	 * Deserialize the byte array into an object.
 	 * @param bytes a serialized object
 	 * @return the result of deserializing the bytes
-	 * @deprecated This utility uses Java's reflection, which allows arbitrary code to be
-	 * run and is known for being the source of many Remote Code Execution vulnerabilities.
-	 * <p>Prefer the use of an external tool (that serializes to JSON, XML or any other format)
-	 * which is regularly checked and updated for not allowing RCE.
+	 * @deprecated This utility uses Java Object Serialization, which allows
+	 * arbitrary code to be run and is known for being the source of many Remote
+	 * Code Execution (RCE) vulnerabilities.
+	 * <p>Prefer the use of an external tool (that serializes to JSON, XML, or
+	 * any other format) which is regularly checked and updated for not allowing RCE.
 	 */
-	@Nullable
 	@Deprecated
+	@Nullable
 	public static Object deserialize(@Nullable byte[] bytes) {
 		if (bytes == null) {
 			return null;
@@ -81,14 +90,15 @@ public static Object deserialize(@Nullable byte[] bytes) {
 	}
 
 	/**
-	 * Clone the given object using Java's serialization.
+	 * Clone the given object using Java Object Serialization.
 	 * @param object the object to clone
 	 * @param <T> the type of the object to clone
 	 * @return a clone (deep-copy) of the given object
-	 * @since 6.0.0
+	 * @since 6.0
 	 */
 	@SuppressWarnings("unchecked")
 	public static <T extends Serializable> T clone(T object) {
 		return (T) SerializationUtils.deserialize(SerializationUtils.serialize(object));
 	}
+
 }
diff --git a/spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java b/spring-core/src/test/java/org/springframework/util/SerializationUtilsTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,32 +38,36 @@ class SerializationUtilsTests {
 
 
 	@Test
-	void serializeCycleSunnyDay() throws Exception {
+	@SuppressWarnings("deprecation")
+	void serializeCycleSunnyDay() {
 		assertThat(SerializationUtils.deserialize(SerializationUtils.serialize("foo"))).isEqualTo("foo");
 	}
 
 	@Test
-	void deserializeUndefined() throws Exception {
+	@SuppressWarnings("deprecation")
+	void deserializeUndefined() {
 		assertThatIllegalStateException().isThrownBy(() -> SerializationUtils.deserialize(FOO.toByteArray()));
 	}
 
 	@Test
-	void serializeNonSerializable() throws Exception {
+	void serializeNonSerializable() {
 		assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.serialize(new Object()));
 	}
 
 	@Test
-	void deserializeNonSerializable() throws Exception {
+	@SuppressWarnings("deprecation")
+	void deserializeNonSerializable() {
 		assertThatIllegalArgumentException().isThrownBy(() -> SerializationUtils.deserialize("foo".getBytes()));
 	}
 
 	@Test
-	void serializeNull() throws Exception {
+	void serializeNull() {
 		assertThat(SerializationUtils.serialize(null)).isNull();
 	}
 
 	@Test
-	void deserializeNull() throws Exception {
+	@SuppressWarnings("deprecation")
+	void deserializeNull() {
 		assertThat(SerializationUtils.deserialize(null)).isNull();
 	}
 
@@ -72,4 +76,5 @@ void cloneException() {
 		IllegalArgumentException ex = new IllegalArgumentException("foo");
 		assertThat(SerializationUtils.clone(ex)).hasMessage("foo").isNotSameAs(ex);
 	}
+
 }