Commit Graph

1032 Commits

Author SHA1 Message Date
Marcono1234
cbc0af867b
Improve lenient mode documentation (#2122) 2022-06-28 09:48:05 -07:00
Marcono1234
2d01d6a20f
Make Object and JsonElement deserialization iterative (#1912)
* Make Object and JsonElement deserialization iterative

Often when Object and JsonElement are deserialized the format of the JSON
data is unknown and it might come from an untrusted source. To avoid a
StackOverflowError from maliciously crafted JSON, deserialize Object and
JsonElement iteratively instead of recursively.

Concept based on 51fd2faab7
But implementation is not based on it.

* Improve imports grouping

* Address review feedback
2022-06-22 17:42:19 -07:00
Nathan Herring
d2aee6502b
Add explicit support for floats in JsonTreeWriter. (#2132)
Follow-up to comments on #2130, which introduced a new override which was not overridden by `JsonTreeWriter`. Also tweaks the doccomments for `float`, `double` and `Number` variants of `JsonWriter.value`.

Supplement to the fix for #1127.
2022-06-21 09:50:07 -07:00
Marcono1234
57225c6741
Fail when parsing invalid local date (#2134)
* Fail when parsing invalid local date

* Improve invalid date tests
2022-06-16 13:47:57 -07:00
Nathan Herring
96ab171eb4
Add explicit support for floats in JsonWriter. (#2130)
This avoids floats being treated as doubles and having an unwarranted level of precision.

Fixes #1127.
2022-06-08 15:04:42 -07:00
Marcono1234
b1c399fd62
Improve TypeToken creation validation (#2072)
* Add comments regarding multiple bounds of wildcard

* Remove WildcardType check in getCollectionElementType

The returned Type is never a wildcard due to the changes made to getSupertype
by commit b1fb9ca9a1.

* Remove redundant getRawType call from MapTypeAdapterFactory

getRawType(TypeToken.getType()) is the same as calling TypeToken.getRawType().

* Make TypeToken members private

* Remove incorrect statement about TypeToken wildcards

It is possible to use wildcards as part of the type argument, e.g.:
`new TypeToken<List<? extends CharSequence>>() {}`

* Only allow direct subclasses of TypeToken

Previously subclasses of subclasses (...) of TypeToken were allowed which
can behave incorrectly when retrieving the type argument, e.g.:

  class SubTypeToken<T> extends TypeToken<Integer> {}
  new SubTypeToken<String>() {}.getType()

This returned `String` despite the class extending TypeToken<Integer>.

* Throw exception when TypeToken captures type variable

Due to type erasure the runtime type argument for a type variable is not
available. Therefore there is no point in capturing a type variable and it
might even give a false sense of type-safety.

* Make $Gson$Types members private

* Rename $Gson$Types.getGenericSupertype parameter

Rename the method parameter to match the documentation of the method and
to be similar to getSupertype(...).

* Improve tests and handle raw TypeToken supertype better

* Make some $Gson$Types members package-private again to prevent synthetic accessors

* Remove TypeToken check for type variable

As mentioned in review comments, there are cases during serialization where
usage of the type variable is not so problematic (but still not ideal).
2022-04-19 08:20:58 -07:00
Marcono1234
4dda4ec5ba
Use diamond operator when creating generic instances (#2104) 2022-04-17 15:27:21 -07:00
Marcono1234
e82637c485
Add support for reflection access filter (#1905)
* Add support for reflection access filter

* Improve documentation

* Fix compilation errors

* Relax handling for BLOCK_ALL when invoking default constructor

* Improve handling for inherited fields

* Fix accessible test failing for static fields

* Simplify ReflectiveTypeAdapterFactory field writing

* Fix GsonBuilder changes affecting created Gson instances

* Improve documentation

* Improve handling for IllegalAccessException

For Java < 9, AccessibleObject.canAccess is not available and therefore checks
might pass even if object is not accessible, causing IllegalAccessException
later.

* Fix incorrect GsonBuilder.addReflectionAccessFilter documentation
2022-04-17 09:05:18 -07:00
Marcono1234
b5343ba96c
Add tests for enum constant toString() reading (#2080) 2022-02-21 14:53:59 -08:00
Mahmut H. Kocas
7ee3e2787f
Parsing Map<Enum,Obj> - 501 (#1950)
* Added parsing support for enum that has overridden toString() method.

* Fix a tiny formatting problem

* Fixed formatting issue

Co-authored-by: Éamonn McManus <emcmanus@google.com>
2022-02-21 13:11:43 -08:00
Marcono1234
49ddab9eeb
Add CodeQL GitHub code scanning workflow (#2076)
* Add CodeQL GitHub code scanning workflow

* Only compile main sources for code scanning

* Move test .proto  files to test sources

`annotations.proto` also seems to be only relevant for tests because the test
explicitly registers them as extensions. By default the Proto adapter does not
consider them.

* Address some code scanning findings

* Fix some more findings
2022-02-17 18:40:40 -08:00
Marcono1234
47dea2eefc
Improve error message when abstract class cannot be constructed (#1814) 2022-02-04 14:19:47 -08:00
Marcono1234
565b7a198e
Support EnumMap deserialization (#2071) 2022-02-04 07:20:32 -08:00
Marcono1234
e2e851c9bc
Add LazilyParsedNumber default adapter (#2060)
* Add LazilyParsedNumber default adapter

* Validate JsonWriter.value(Number) argument

* Fix incorrect JSON number pattern, extend tests
2022-01-28 11:26:28 -08:00
Marcono1234
710a76c8b8
Fix JsonReader.hasNext() returning true at end of document (#2061) 2022-01-27 15:59:50 -08:00
Éamonn McManus
26e08fe742
Fix a mistaken use of StringBuilder('#'). (#2052) 2022-01-12 08:58:30 -08:00
Marcono1234
73216b2ad7
Add more Gson default constants to be used by GsonBuilder (#2051) 2022-01-12 07:07:55 -08:00
Marcono1234
d38e397421
Fix ObjectTest not restoring default Locale (#2050) 2022-01-10 07:18:42 -08:00
Marcono1234
6b96a389cc
Put module-info.class into Multi-Release JAR folder (#2013)
* Put module-info.class into Multi-Release JAR folder

Uses ModiTect to place module-info.class under Multi-Release JAR folder
`META-INF/versions/9`.

* Adjust pom.xml to drop support for Java 6

* Change doclint setting

All Javadoc errors have been solved previously; doclint can now be enabled
without causing build failures.

* Improve README Java requirements
2022-01-01 12:44:39 -08:00
Marcono1234
dc28951fa7
Change target Java version to 7 (#2043)
* Change target Java version to 7

* Document Gson requirements

* Add package-info.java for `stream` package
2021-12-31 07:20:29 -08:00
Marcono1234
615c8835d3
Add GsonBuilder.disableJdkUnsafe() (#1904)
* Add GsonBuilder.disableJdkUnsafe()

* Address review feedback
2021-12-30 15:08:18 -08:00
Marcono1234
6ffcdf3029
Fix Javadoc warnings and errors (#2040) 2021-12-26 15:30:21 -08:00
yixingz3
eaf9a0342d
feat: added UPPER_CASE_WITH_UNDERSCORES in FieldNamingPolicy (#2024) 2021-11-28 09:33:22 -08:00
Éamonn McManus
6e06bf0d89 Fix for an ArrayIndexOutOfBoundsException.
The `fillBuffer` method changes `pos`, so it is incorrect to cache
its previous value.
2021-11-11 14:12:44 -05:00
Marcono1234
b0595c595b
Fix failing to serialize Collection or Map with inaccessible constructor (#1902)
* Remove UnsafeReflectionAccessor

Revert #1218

Usage of sun.misc.Unsafe to change internal AccessibleObject.override field
to suppress JPMS warnings goes against the intentions of the JPMS and does not
work anymore in newer versions, see #1540.
Therefore remove it and instead create a descriptive exception when making a
member accessible fails. If necessary users can also still use `java` command
line flags to open external modules.

* Fix failing to serialize Collection or Map with inaccessible constructor

Also remove tests which rely on Java implementation details.

* Don't keep reference to access exception of ConstructorConstructor

This also avoids a confusing stack trace, since the previously caught
exception might have had a complete unrelated stack trace.

* Remove Maven toolchain requirement

* Address review feedback

* Add back test for Security Manager
2021-11-09 07:16:35 -08:00
Marcono1234
ca2ed748ba
Fix warnings (#2014)
* Fix warnings

* Address review feedback
2021-11-07 08:43:49 -08:00
Marcono1234
a92bbf849c
Improve TreeTypeAdapter thread-safety (#1976)
* Improve TreeTypeAdapter thread-safety

Gson claims to be thread-safe so TreeTypeAdapter.delegate() might be
called by multiple threads. To guarantee that each thread sees a fully
constructed `delegate`, the field has to be `volatile`.

* Improve TreeTypeAdapter thread race comment
2021-11-01 15:13:08 -07:00
Marcono1234
deaa3a6cd9
Fix Gson.newJsonWriter ignoring lenient and HTML-safe setting (#1989)
* Improve Gson newJsonWriter and newJsonReader documentation

* Consider lenient and HTML-safe setting for Gson.newJsonWriter

* Remove empty line between imports
2021-11-01 15:11:10 -07:00
Marcono1234
e0de45ff69
Delete unused LinkedHashTreeMap (#1992)
Class seems to be unused since commit f29d5bc37b.
Gson currently only uses LinkedTreeMap.
2021-11-01 15:09:14 -07:00
Marcono1234
b4dab86b10
Make default adapters stricter; improve exception messages (#2000)
* Make default adapters stricter; improve exception messages

* Reduce scope of synchronized blocks

* Improve JsonReader.getPath / getPreviousPath Javadoc
2021-11-01 15:08:04 -07:00
Marcono1234
b3188c1132
Fix FieldNamingPolicy.upperCaseFirstLetter uppercasing non-letter (#2004) 2021-11-01 15:05:04 -07:00
Marcono1234
ba96d53bad
Fix missing bounds checks for JsonTreeReader.getPath() (#2001)
There are situations where the stack of JsonTreeReader contains a JsonArray
or JsonObject without a subsequent Iterator, for example after calling peek()
or nextName().
When JsonTreeReader.getPath() is called afterwards it therefore must not
assume that a JsonArray or JsonObject is always followed by an Iterator.

The only reason why this never caused an ArrayIndexOutOfBoundsException in
the past is because the stack has an even default size (32) so it would just
have read the next `null`.
However, if the stack had for example the default size 31, a user created a
JsonTreeReader for 16 JSON arrays nested inside each other, then called 15
times beginArray(), followed by peek() and getPath() the exception would
occur.
2021-10-25 12:14:41 -07:00
Jaroslav Tulach
ca1df7f7e0
#1981: Optional OSGi bundle's dependency on sun.misc package (#1993)
* #1981: Avoid OSGi bundle's dependency on sun.misc package

* Specify optional dependency on sun.misc.Unsafe

* Adjusting the test to sun.misc import being optional

* Using Collections.list and for loop

* Let the fail message include name of package

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>

* Closing the input stream

* Dedicated assertSubstring method

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-10-25 11:32:10 -07:00
Marcono1234
c54caf308c
Deprecate Gson.excluder() exposing internal Excluder class (#1986) 2021-10-25 11:28:16 -07:00
Marcono1234
e6fae590cf
Prevent Java deserialization of internal classes (#1991)
Adversaries might be able to forge data which can be abused for DoS attacks.
These classes are already writing a replacement JDK object during serialization
for a long time, so this change should not cause any issues.
2021-10-13 10:14:57 -07:00
Marcono1234
bda2e3d16a
Improve number strategy implementation (#1987)
* Fix GsonBuilder not copying number strategies from Gson

* Improve ToNumberPolicy exception messages
2021-10-11 16:14:47 -07:00
Marcono1234
cd748df712
Fix LongSerializationPolicy null handling being inconsistent with Gson (#1990)
Gson does not actually use the specified LongSerializationPolicy but instead
uses type adapters which emulate the behavior. However, previously Gson's
implementation did not match LongSerializationPolicy regarding null handling.

Because it is rather unlikely that LongSerializationPolicy has been used on
its own, this commit adjusts its implementation to match Gson's behavior
(instead of the other way around).
2021-10-11 12:34:32 -07:00
Lyubomyr Shaydariv
fe30b85224
Support arbitrary Number implementation for Object and Number deserialization (#1290)
* Object and Number type adapters number deserialization can be configured

* Change wording of ToNumberStrategy documentation

* Use inline links in doc sparingly

If the element has already been linked before, don't create a link for
every subsequent occurrence.

See also (slightly dated)
https://www.oracle.com/technical-resources/articles/java/javadoc-tool.html#inlinelinks

* Link to default to-number policies in ToNumberStrategy doc

* Reduce code duplication for deserializing Number

* Hide default factory constants of NumberTypeAdapter and ObjectTypeAdapter

This encapsulates the logic a little bit better.
Additionally refactored factory created by NumberTypeAdapter to only create
TypeAdapter once and then have factory reuse that adapter for better
performance.

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-10-08 17:09:43 -07:00
Marcono1234
aa5554e69a
Don't exclude static local classes (#1969) 2021-09-17 18:12:47 -07:00
Marcono1234
f1f90313fc
Improve Maven build (#1964)
- Specify missing plugin versions
- Fix or suppress ProGuard notes and warnings
2021-09-17 17:19:50 -07:00
Éamonn McManus
c8f26dc907
Add missing calls when testing for exceptions. (#1948) 2021-08-31 15:03:45 -07:00
Éamonn McManus
1a2e58a42f
Remove an unused import. (#1947) 2021-08-31 14:55:07 -07:00
Simon Guerout
66fd2acdcf Fix formatting 2021-08-30 09:57:08 -07:00
Simon Guerout
ac14b4c197 Make the nextJsonElement more robust
Add test cases
2021-08-30 09:57:08 -07:00
Simon Guerout
62a9702385 Improve the speed of the JSON_ELEMENT TypeAdapter when the object graph has already been turned into a JsonElement 2021-08-30 09:57:08 -07:00
Éamonn McManus
69173b02ea
Merge branch 'master' into optional-sql 2021-08-24 13:41:12 -07:00
Éamonn McManus
9edaeb3b2e
Merge pull request #1909 from HiFromAjay/aj
Test cases for testing the exceptional behavior of JsonArray get... methods
2021-08-07 07:54:12 -07:00
HiFromAjay
01ab13f701 Remove unused imports [#1909, #1908] 2021-08-05 17:23:28 -06:00
YOUNG HO CHA
d8c5fcf00b Fix indentation of EnumWithObfuscatedTest 2021-08-04 12:30:07 +09:00
YOUNG HO CHA
59a8aedb37 Use SecurityManager to read enum fields 2021-08-04 12:24:55 +09:00