Merge pull request quarkusio#53635 from FroMage/json-reflection-skip-private-methods

REST + JSON: ignore private methods

Author: gsmet

extensions/resteasy-classic/resteasy-common/spi/src/main/java/io/quarkus/resteasy/common/spi/ResteasyDotNames.java

@@ -1,5 +1,6 @@
 package io.quarkus.resteasy.common.spi;
 
+import java.lang.reflect.Modifier;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -96,7 +97,10 @@ private static class IgnoreMethodForReflectionPredicate implements Predicate<Met
 
         @Override
         public boolean test(MethodInfo methodInfo) {
-            return methodInfo.hasAnnotation(JSON_IGNORE)
+            // Non-public methods are not required by JSON serialisation, and may lead to leaking of implementation
+            // types that we should not register.
+            return !Modifier.isPublic(methodInfo.flags())
+                    || methodInfo.hasAnnotation(JSON_IGNORE)
                     || methodInfo.hasAnnotation(JSONB_TRANSIENT)
                     || methodInfo.hasAnnotation(XML_TRANSIENT);
         }

extensions/resteasy-reactive/rest-common/deployment/src/main/java/io/quarkus/resteasy/reactive/common/deployment/QuarkusResteasyReactiveDotNames.java

@@ -1,5 +1,6 @@
 package io.quarkus.resteasy.reactive.common.deployment;
 
+import java.lang.reflect.Modifier;
 import java.util.function.Predicate;
 
 import org.jboss.jandex.DotName;
@@ -70,7 +71,10 @@ private static class IgnoreMethodForReflectionPredicate implements Predicate<Met
 
         @Override
         public boolean test(MethodInfo methodInfo) {
-            return methodInfo.hasAnnotation(JSON_IGNORE)
+            // Non-public methods are not required by JSON serialisation, and may lead to leaking of implementation
+            // types that we should not register.
+            return !Modifier.isPublic(methodInfo.flags())
+                    || methodInfo.hasAnnotation(JSON_IGNORE)
                     || methodInfo.hasAnnotation(JSONB_TRANSIENT);
         }
     }