cshannon opened a new issue, #4837: URL: https://github.com/apache/accumulo/issues/4837
As part of #4830 I noticed that Gson was able to serialze or data classes even without a default constructor and final keyword applied. A good example is [JsonData](https://github.com/apache/accumulo/blob/e8446a2f186e8202680077965a65db00a2e9d715/server/base/src/main/java/org/apache/accumulo/server/manager/state/TabletManagementParameters.java#L208) in TabletManagementParams class. @keith-turner and I looked into this to see what was going on and it looks like Gson uses` sun.misc.Unsafe` to create objects that don't have a default constructor which has risks and would be a good idea to disable. I think it would be a good idea to do the following: 1. Add a default constructor for all Gson serialized classes so we don't need to use Unsafe to create the object 2. Remove final keyword from member variables in Gson serialized classes so Gson as reflection is used to set these so this could cause strange behavior. Also we can't use final anyways if we have default constructors. 3. Disable Gson from using Jdk Unsafe. See: https://javadoc.io/doc/com.google.code.gson/gson/latest/com.google.gson/com/google/gson/GsonBuilder.html#disableJdkUnsafe() -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
