Introduce warnings in documentation of SerializationUtils

sbrannen · sbrannen · commit 3811cd4c0a0b · 2022-03-29T15:22:30.000+02:00
Closes gh-28246
diff --git a/spring-core/src/main/java/org/springframework/util/SerializationUtils.java b/spring-core/src/main/java/org/springframework/util/SerializationUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,9 +25,18 @@
 import org.springframework.lang.Nullable;
 
 /**
- * Static utilities for serialization and deserialization.
+ * Static utilities for serialization and deserialization using
+ * <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/serialization/"
+ * target="_blank">Java Object Serialization</a>.
+ *
+ * <p><strong>WARNING</strong>: These utilities should be used with caution. See
+ * <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
+ * target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
+ * for details.
  *
  * @author Dave Syer
+ * @author Loïc Ledoyen
+ * @author Sam Brannen
  * @since 3.0.5
  */
 public abstract class SerializationUtils {
@@ -55,6 +64,12 @@ public static byte[] serialize(@Nullable Object object) {
 
 	/**
 	 * Deserialize the byte array into an object.
+	 * <p><strong>WARNING</strong>: This utility will be deprecated in Spring
+	 * Framework 6.0 since it uses Java Object Serialization, which allows arbitrary
+	 * code to be run and is known for being the source of many Remote Code Execution
+	 * (RCE) vulnerabilities. Prefer the use of an external tool (that serializes
+	 * to JSON, XML, or any other format) which is regularly checked and updated
+	 * for not allowing RCE.
 	 * @param bytes a serialized object
 	 * @return the result of deserializing the bytes
 	 */
