Regretfully enable serialization for StringMap and LazilyParsedNumber.

One of our favorite users (my employer!) is stuck in a sad situation where they need to serialize objects returned from Gson; this is a workable escape hatch.

gson/src/main/java/com/google/gson/internal/ConstructorConstructor.java

@@ -20,6 +20,7 @@ import com.google.gson.InstanceCreator;
 import com.google.gson.reflect.TypeToken;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -68,7 +69,7 @@ public final class ConstructorConstructor {
       return defaultConstructor;
     }
 
-    ObjectConstructor<T> defaultImplementation = newDefaultImplementationConstructor(rawType);
+    ObjectConstructor<T> defaultImplementation = newDefaultImplementationConstructor(type, rawType);
     if (defaultImplementation != null) {
       return defaultImplementation;
     }
@@ -112,7 +113,8 @@ public final class ConstructorConstructor {
    * subytpes.
    */
   @SuppressWarnings("unchecked") // use runtime checks to guarantee that 'T' is what it is
-  private <T> ObjectConstructor<T> newDefaultImplementationConstructor(Class<? super T> rawType) {
+  private <T> ObjectConstructor<T> newDefaultImplementationConstructor(
+      Type type, Class<? super T> rawType) {
     if (Collection.class.isAssignableFrom(rawType)) {
       if (SortedSet.class.isAssignableFrom(rawType)) {
         return new ObjectConstructor<T>() {
@@ -142,12 +144,20 @@ public final class ConstructorConstructor {
     }
 
     if (Map.class.isAssignableFrom(rawType)) {
-      return new ObjectConstructor<T>() {
-        public T construct() {
-          // TODO: if the map's key type is a string, should this be StringMap?
-          return (T) new LinkedHashMap<Object, Object>();
-        }
-      };
+      if (type instanceof ParameterizedType
+          && ((ParameterizedType) type).getActualTypeArguments()[0] == String.class) {
+        return new ObjectConstructor<T>() {
+          public T construct() {
+            return (T) new StringMap<Object>();
+          }
+        };
+      } else {
+        return new ObjectConstructor<T>() {
+          public T construct() {
+            return (T) new LinkedHashMap<Object, Object>();
+          }
+        };
+      }
       // TODO: SortedMap ?
     }
 

gson/src/main/java/com/google/gson/internal/LazilyParsedNumber.java

@@ -15,6 +15,8 @@
  */
 package com.google.gson.internal;
 
+import java.io.ObjectStreamException;
+import java.math.BigDecimal;
 import java.math.BigInteger;
 
 /**
@@ -66,4 +68,13 @@ public final class LazilyParsedNumber extends Number {
   public String toString() {
     return value;
   }
+
+  /**
+   * If somebody is unlucky enough to have to serialize one of these, serialize
+   * it as a BigDecimal so that they won't need Gson on the other side to
+   * deserialize it.
+   */
+  private Object writeReplace() throws ObjectStreamException {
+    return new BigDecimal(value);
+  }
 }

gson/src/main/java/com/google/gson/internal/StringMap.java

@@ -17,12 +17,15 @@
 
 package com.google.gson.internal;
 
+import java.io.ObjectStreamException;
+import java.io.Serializable;
 import java.util.AbstractCollection;
 import java.util.AbstractMap;
 import java.util.AbstractSet;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Iterator;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.NoSuchElementException;
 import java.util.Random;
@@ -35,7 +38,7 @@ import java.util.Set;
  * 
  * <p>This implementation was derived from Android 4.0's LinkedHashMap.
  */
-public final class StringMap<V> extends AbstractMap<String, V> {
+public final class StringMap<V> extends AbstractMap<String, V> implements Serializable {
   /**
    * Min capacity (other than zero) for a HashMap. Must be a power of two
    * greater than 1 (and less than 1 << 30).
@@ -405,6 +408,16 @@ public final class StringMap<V> extends AbstractMap<String, V> {
     return false; // No entry for key
   }
 
+  /**
+   * If somebody is unlucky enough to have to serialize one of these, serialize
+   * it as a LinkedHashMap so that they won't need Gson on the other side to
+   * deserialize it. Using serialization defeats our DoS defence, so most apps
+   * shouldn't use it.
+   */
+  private Object writeReplace() throws ObjectStreamException {
+    return new LinkedHashMap<String, V>(this);
+  }
+
   private abstract class LinkedHashIterator<T> implements Iterator<T> {
     LinkedEntry<V> next = header.nxt;
     LinkedEntry<V> lastReturned = null;

gson/src/test/java/com/google/gson/JavaSerializationTest.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2012 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.gson;
+
+import com.google.gson.reflect.TypeToken;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Type;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import junit.framework.TestCase;
+
+/**
+ * Check that Gson doesn't return non-serializable data types.
+ *
+ * @author Jesse Wilson
+ */
+public final class JavaSerializationTest extends TestCase {
+  private final Gson gson = new Gson();
+
+  public void testMapIsSerializable() throws Exception {
+    Type type = new TypeToken<Map<String, Integer>>() {}.getType();
+    Map<String, Integer> map = gson.fromJson("{\"b\":1,\"c\":2,\"a\":3}", type);
+    Map<String, Integer> serialized = serializedCopy(map);
+    assertEquals(map, serialized);
+    // Also check that the iteration order is retained.
+    assertEquals(Arrays.asList("b", "c", "a"), new ArrayList<String>(serialized.keySet()));
+  }
+
+  public void testListIsSerializable() throws Exception {
+    Type type = new TypeToken<List<String>>() {}.getType();
+    List<String> list = gson.fromJson("[\"a\",\"b\",\"c\"]", type);
+    List<String> serialized = serializedCopy(list);
+    assertEquals(list, serialized);
+  }
+
+  public void testNumberIsSerializable() throws Exception {
+    Type type = new TypeToken<List<Number>>() {}.getType();
+    List<Number> list = gson.fromJson("[1,3.14,6.673e-11]", type);
+    List<Number> serialized = serializedCopy(list);
+    assertEquals(1.0, serialized.get(0).doubleValue());
+    assertEquals(3.14, serialized.get(1).doubleValue());
+    assertEquals(6.673e-11, serialized.get(2).doubleValue());
+  }
+
+  @SuppressWarnings("unchecked") // Serialization promises to return the same type.
+  private <T> T serializedCopy(T object) throws IOException, ClassNotFoundException {
+    ByteArrayOutputStream bytesOut = new ByteArrayOutputStream();
+    ObjectOutputStream out = new ObjectOutputStream(bytesOut);
+    out.writeObject(object);
+    out.close();
+    ByteArrayInputStream bytesIn = new ByteArrayInputStream(bytesOut.toByteArray());
+    ObjectInputStream in = new ObjectInputStream(bytesIn);
+    return (T) in.readObject();
+  }
+}