Skip to content

Commit

Permalink
Introduce warnings in documentation of SerializationUtils
Browse files Browse the repository at this point in the history
Closes gh-28246
  • Loading branch information
sbrannen committed Mar 29, 2022
1 parent d927e37 commit 3811cd4
Showing 1 changed file with 17 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -25,9 +25,18 @@
import org.springframework.lang.Nullable;

/**
* Static utilities for serialization and deserialization.
* Static utilities for serialization and deserialization using
* <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/serialization/"
* target="_blank">Java Object Serialization</a>.
*
* <p><strong>WARNING</strong>: These utilities should be used with caution. See
* <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
* target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
* for details.
*
* @author Dave Syer
* @author Loïc Ledoyen
* @author Sam Brannen
* @since 3.0.5
*/
public abstract class SerializationUtils {
Expand Down Expand Up @@ -55,6 +64,12 @@ public static byte[] serialize(@Nullable Object object) {

/**
* Deserialize the byte array into an object.
* <p><strong>WARNING</strong>: This utility will be deprecated in Spring
* Framework 6.0 since it uses Java Object Serialization, which allows arbitrary
* code to be run and is known for being the source of many Remote Code Execution
* (RCE) vulnerabilities. Prefer the use of an external tool (that serializes
* to JSON, XML, or any other format) which is regularly checked and updated
* for not allowing RCE.
* @param bytes a serialized object
* @return the result of deserializing the bytes
*/
Expand Down

0 comments on commit 3811cd4

Please # to comment.