policeman-tools / forbidden-apis

Policeman's Forbidden API Checker
Apache License 2.0
339 stars 34 forks source link

Since Java 18 uses UTF-8 by default should some methods now be considered as safe? #201

Closed aspan closed 2 years ago

aspan commented 2 years ago

Java 18 included the following JEP JEP 400: UTF-8 by Default.

My question is if some methods should now be considered as safe for java 18+?

For instance java.io.FileWriter#<init>(java.io.File).

dweiss commented 2 years ago

That JEP envisions situations where you can alter the default encoding... so I'd say no. Stay explicit and avoid surprises.

aspan commented 2 years ago

Thanks for the answer. I agree the possibility to override the default encoding can cause problems.

uschindler commented 2 years ago

Hi Dawid, thanks for the response. It is all exactly as mentioned: "Unsafe" are all APIs where some default parameters like charset, timezone, locale or whatever else depends on some external setting like a system property, a static method (Locale#setDefault(), Charset#setDefault(),...). There is no access control and some of those settings change behaviour of code relying on those defaults dramatically. Think of some 3rd party JAR suddenly changing the default charset or default locale in another thread and reverting back after doing its work (I have seen shit like this).

JEP 400 only changes the DEFAULT but it does NOT say FileWriter() always uses UTF-8. Methods in java.nio.file.Files are safe, because they are documented to use UTF-8 and there is no default applied.

So JEP 400 helps to work against the problem (problems more unlikely occur in reality), but it does not solve the problem.