From b9e66b281b9d24ad2a05dda060e5f21caf011ba1 Mon Sep 17 00:00:00 2001
From: Shawn <shawn.ck.yang@gmail.com>
Date: Fri, 22 Sep 2023 01:14:55 +0800
Subject: [PATCH] [Java] Skip `toString` in annotation invocation handler
 `readObject` (#922)

* Use fury serialization to avoid AnnotationInvocationHandler#readObject

* Use fury serialization to avoid AnnotationInvocationHandler#readObject
---
 .../src/main/java/io/fury/resolver/ClassResolver.java      | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/java/fury-core/src/main/java/io/fury/resolver/ClassResolver.java b/java/fury-core/src/main/java/io/fury/resolver/ClassResolver.java
index 78df9d0c51..edab04456f 100644
--- a/java/fury-core/src/main/java/io/fury/resolver/ClassResolver.java
+++ b/java/fury-core/src/main/java/io/fury/resolver/ClassResolver.java
@@ -541,6 +541,13 @@ public static boolean requireJavaSerialization(Class<?> clz) {
     if (Externalizable.class.isAssignableFrom(clz)) {
       return false;
     } else {
+      // `AnnotationInvocationHandler#readObject` may invoke `toString` of object, which may be
+      // risky.
+      // For example, JsonObject#toString may invoke `getter`.
+      // Use fury serialization to avoid this.
+      if ("sun.reflect.annotation.AnnotationInvocationHandler".equals(clz.getName())) {
+        return false;
+      }
       return JavaSerializer.getReadObjectMethod(clz) != null
           || JavaSerializer.getWriteObjectMethod(clz) != null;
     }