search

AiorosXu / google-gson

Automatically exported from code.google.com/p/google-gson
0 stars 0 forks source link

GSON 2.0 causes SecurityException #382

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.
public abstract class GSONObject<K,V> {

    protected static transient Gson gson;
        protected HashMap<K,V> data;
    public GSONObject() {
           gson = new GsonBuilder(). 
                disableHtmlEscaping().
                setPrettyPrinting().
                serializeNulls().
                create();
               data=new HashMap<K,V>();
    }
    @Override
    public String toString() {
        return gson.toJson(this);
    }
    public <T> String toJson(Class<T> type) {
        return gson.toJson(this, type);
    }
}

2.
Extending GSONObject and invoking toString or toJson results in the exception

What is the expected output? What do you see instead?

Expected:
{"data":{...}}

Results Instead:
Exception in thread "main" java.lang.SecurityException: Can not make a 
java.lang.Class constructor accessible
    at java.lang.reflect.AccessibleObject.setAccessible0(AccessibleObject.java:139)
    at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:129)
    at com.google.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:84)
    at com.google.gson.internal.ConstructorConstructor.getConstructor(ConstructorConstructor.java:66)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:64)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.CollectionTypeAdapterFactory.create(CollectionTypeAdapterFactory.java:49)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.CollectionTypeAdapterFactory.create(CollectionTypeAdapterFactory.java:49)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$1.<init>(ReflectiveTypeAdapterFactory.java:75)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.createBoundField(ReflectiveTypeAdapterFactory.java:74)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.getBoundFields(ReflectiveTypeAdapterFactory.java:112)
    at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:65)
    at com.google.gson.internal.bind.MiniGson.getAdapter(MiniGson.java:92)
    at com.google.gson.Gson.toJson(Gson.java:504)
    at com.google.gson.Gson.toJson(Gson.java:491)
    at com.google.gson.Gson.toJson(Gson.java:446)
    at com.google.gson.Gson.toJson(Gson.java:426)
...

What version of the product are you using? On what operating system?
Windows 7, JDK 1.7 (Netbeans)

Please provide any additional information below.

Original issue reported on code.google.com by court...@crlog.info on 29 Nov 2011 at 10:00

GoogleCodeExporter commented 9 years ago 
Ahhhhh, sorry forgot to include GSON version.
So:
GSON version 2.0
This worked previously with 
GSON Version 1.7.x

Original comment by court...@crlog.info on 29 Nov 2011 at 10:01

GoogleCodeExporter commented 9 years ago 
I'll look into this... We're going to have a new version of Gson out by year's 
end that should include a fix.

Original comment by limpbizkit on 3 Dec 2011 at 8:33

GoogleCodeExporter commented 9 years ago 
Cool...I'll keep an eye out

Original comment by courtney...@datasift.com on 3 Dec 2011 at 8:55

GoogleCodeExporter commented 9 years ago 
I couldn't reproduce this. Could you provide a complete example?

  public void testBug382() {
    String string = new GSONObjectImpl().toString();
    System.out.println(string);
  }

  public abstract static class GSONObject<K, V> {
    protected static transient Gson gson;
    protected HashMap<K, V> data;

    public GSONObject() {
      gson = new GsonBuilder().
          disableHtmlEscaping().
          setPrettyPrinting().
          serializeNulls().
          create();
      data = new HashMap<K, V>();
    }

    @Override
    public String toString() {
      return gson.toJson(this);
    }

    public <T> String toJson(Class<T> type) {
      return gson.toJson(this, type);
    }
  }

  public static class GSONObjectImpl extends GSONObject<String, String> {
  }

Original comment by limpbizkit on 16 Dec 2011 at 4:50

GoogleCodeExporter commented 9 years ago 
I have seen this happen. For me, this happens when Gson runs into a field of 
type java.lang.Class. Typically, the reason is that I forgot to add a type 
adapter for the class containing this field. Clearly, java.lang.Class fields 
are not meant to be deserialized. May be a less cryptic message would help.

Original comment by inder123 on 16 Dec 2011 at 6:13

GoogleCodeExporter commented 9 years ago 
I wasn't able to re-produce it just now. The super class that contain the 
static JSON object and methods as well as the sub classes have all changed 
quite a bit. I tried doing it based on what I posted and remembered but it 
didn't happen...
I'm not sure what inder123 means exactly but when this happened I had only that 
hashmap, data as a field in the class, something like

    public void put(K key, V val) {
        data.put(key, val);
    }
And the key was always a string, the value was occasionally POJOs that were 
known to serialize just fine with GSON.

I'll try again when I get home, I'll see if I can revert to the version of the 
code that had all this and try again, but unfortunately I wasn't able to 
reproduce it...

Original comment by court...@crlog.info on 16 Dec 2011 at 6:46

GoogleCodeExporter commented 9 years ago 
Inder fixed this with r1090.

Original comment by limpbizkit on 29 Dec 2011 at 5:33