* Make Object and JsonElement deserialization iterative
Often when Object and JsonElement are deserialized the format of the JSON
data is unknown and it might come from an untrusted source. To avoid a
StackOverflowError from maliciously crafted JSON, deserialize Object and
JsonElement iteratively instead of recursively.
Concept based on 51fd2faab7
But implementation is not based on it.
* Improve imports grouping
* Address review feedback
Follow-up to comments on #2130, which introduced a new override which was not overridden by `JsonTreeWriter`. Also tweaks the doccomments for `float`, `double` and `Number` variants of `JsonWriter.value`.
Supplement to the fix for #1127.
* Add comments regarding multiple bounds of wildcard
* Remove WildcardType check in getCollectionElementType
The returned Type is never a wildcard due to the changes made to getSupertype
by commit b1fb9ca9a1.
* Remove redundant getRawType call from MapTypeAdapterFactory
getRawType(TypeToken.getType()) is the same as calling TypeToken.getRawType().
* Make TypeToken members private
* Remove incorrect statement about TypeToken wildcards
It is possible to use wildcards as part of the type argument, e.g.:
`new TypeToken<List<? extends CharSequence>>() {}`
* Only allow direct subclasses of TypeToken
Previously subclasses of subclasses (...) of TypeToken were allowed which
can behave incorrectly when retrieving the type argument, e.g.:
class SubTypeToken<T> extends TypeToken<Integer> {}
new SubTypeToken<String>() {}.getType()
This returned `String` despite the class extending TypeToken<Integer>.
* Throw exception when TypeToken captures type variable
Due to type erasure the runtime type argument for a type variable is not
available. Therefore there is no point in capturing a type variable and it
might even give a false sense of type-safety.
* Make $Gson$Types members private
* Rename $Gson$Types.getGenericSupertype parameter
Rename the method parameter to match the documentation of the method and
to be similar to getSupertype(...).
* Improve tests and handle raw TypeToken supertype better
* Make some $Gson$Types members package-private again to prevent synthetic accessors
* Remove TypeToken check for type variable
As mentioned in review comments, there are cases during serialization where
usage of the type variable is not so problematic (but still not ideal).
* Add support for reflection access filter
* Improve documentation
* Fix compilation errors
* Relax handling for BLOCK_ALL when invoking default constructor
* Improve handling for inherited fields
* Fix accessible test failing for static fields
* Simplify ReflectiveTypeAdapterFactory field writing
* Fix GsonBuilder changes affecting created Gson instances
* Improve documentation
* Improve handling for IllegalAccessException
For Java < 9, AccessibleObject.canAccess is not available and therefore checks
might pass even if object is not accessible, causing IllegalAccessException
later.
* Fix incorrect GsonBuilder.addReflectionAccessFilter documentation
* Added parsing support for enum that has overridden toString() method.
* Fix a tiny formatting problem
* Fixed formatting issue
Co-authored-by: Éamonn McManus <emcmanus@google.com>
* Add CodeQL GitHub code scanning workflow
* Only compile main sources for code scanning
* Move test .proto files to test sources
`annotations.proto` also seems to be only relevant for tests because the test
explicitly registers them as extensions. By default the Proto adapter does not
consider them.
* Address some code scanning findings
* Fix some more findings
* Fix consecutive Maven builds failing without performing `clean`
By default moditect-maven-plugin refuses to overwrite the JAR file it
generated in a previous run.
* Make GitHub Maven build workflow detect Javadoc issues
* Put module-info.class into Multi-Release JAR folder
Uses ModiTect to place module-info.class under Multi-Release JAR folder
`META-INF/versions/9`.
* Adjust pom.xml to drop support for Java 6
* Change doclint setting
All Javadoc errors have been solved previously; doclint can now be enabled
without causing build failures.
* Improve README Java requirements
Explicitly specifying dependencies only seems to be necessary when using
`<proguardVersion>` config element to override version (and even that might
not be necessary; only adding explicit dependencies might suffice). However,
when omitting it, plugin uses a recent ProGuard version on its own.
* Remove UnsafeReflectionAccessor
Revert #1218
Usage of sun.misc.Unsafe to change internal AccessibleObject.override field
to suppress JPMS warnings goes against the intentions of the JPMS and does not
work anymore in newer versions, see #1540.
Therefore remove it and instead create a descriptive exception when making a
member accessible fails. If necessary users can also still use `java` command
line flags to open external modules.
* Fix failing to serialize Collection or Map with inaccessible constructor
Also remove tests which rely on Java implementation details.
* Don't keep reference to access exception of ConstructorConstructor
This also avoids a confusing stack trace, since the previously caught
exception might have had a complete unrelated stack trace.
* Remove Maven toolchain requirement
* Address review feedback
* Add back test for Security Manager
* Improve TreeTypeAdapter thread-safety
Gson claims to be thread-safe so TreeTypeAdapter.delegate() might be
called by multiple threads. To guarantee that each thread sees a fully
constructed `delegate`, the field has to be `volatile`.
* Improve TreeTypeAdapter thread race comment
* Improve Gson newJsonWriter and newJsonReader documentation
* Consider lenient and HTML-safe setting for Gson.newJsonWriter
* Remove empty line between imports
