[Java] Skip toString in annotation invocation handler readObject (#…

…922) * Use fury serialization to avoid AnnotationInvocationHandler#readObject * Use fury serialization to avoid AnnotationInvocationHandler#readObject
apache · Sep 27, 2023 · b9e66b2 · b9e66b2
1 parent ed78c77
commit b9e66b2
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/java/fury-core/src/main/java/io/fury/resolver/ClassResolver.java b/java/fury-core/src/main/java/io/fury/resolver/ClassResolver.java
@@ -541,6 +541,13 @@ public static boolean requireJavaSerialization(Class<?> clz) {
     if (Externalizable.class.isAssignableFrom(clz)) {
       return false;
     } else {
+      // `AnnotationInvocationHandler#readObject` may invoke `toString` of object, which may be
+      // risky.
+      // For example, JsonObject#toString may invoke `getter`.
+      // Use fury serialization to avoid this.
+      if ("sun.reflect.annotation.AnnotationInvocationHandler".equals(clz.getName())) {
+        return false;
+      }
       return JavaSerializer.getReadObjectMethod(clz) != null
           || JavaSerializer.getWriteObjectMethod(clz) != null;
     }