Remove Serializable from internal Type implementation classes. (#3011)

eamonnmcmanus · web-flow · commit 0189b727761f · 2026-04-10T11:45:16.000-07:00
* Remove `Serializable` from internal `Type` implementation classes.

The nested classes `ParameterizedTypeImpl`, `GenericArrayTypeImpl`, and
`WildcardTypeImpl` in `GsonTypes` are implementations of the
corresponding types (without `Impl`) in `java.lang.reflect`. For some
reason, they have always implemented `Serializable`. They are even
documented that way, though the documentation is not published since
`GsonTypes` is an internal implementation class.

The implementations of these interfaces that are returned by
`java.lang.reflect` methods such as `Method.getGenericReturnType()` do
*not* implement `Serializable` so it seems gratuitous for Gson's
implementations to do so. Additionally, `Serializable` classes can
potentially participate in exploits. I think it is highly unlikely that
there is any practical exploit using these classes, but if we can avoid
even having to ask the question then we should.

* Remove unnecessary serialization stuff.
diff --git a/gson/src/main/java/com/google/gson/internal/GsonTypes.java b/gson/src/main/java/com/google/gson/internal/GsonTypes.java
@@ -18,7 +18,6 @@
 
 import static java.util.Objects.requireNonNull;
 
-import java.io.Serializable;
 import java.lang.reflect.Array;
 import java.lang.reflect.GenericArrayType;
 import java.lang.reflect.GenericDeclaration;
@@ -52,7 +51,7 @@ private GsonTypes() {
    * Returns a new parameterized type, applying {@code typeArguments} to {@code rawType} and
    * enclosed by {@code ownerType}.
    *
-   * @return a {@link java.io.Serializable serializable} parameterized type.
+   * @return a parameterized type.
    */
   public static ParameterizedType newParameterizedTypeWithOwner(
       Type ownerType, Class<?> rawType, Type... typeArguments) {
@@ -62,7 +61,7 @@ public static ParameterizedType newParameterizedTypeWithOwner(
   /**
    * Returns an array type whose elements are all instances of {@code componentType}.
    *
-   * @return a {@link java.io.Serializable serializable} generic array type.
+   * @return a generic array type.
    */
   public static GenericArrayType arrayOf(Type componentType) {
     return new GenericArrayTypeImpl(componentType);
@@ -100,7 +99,7 @@ public static WildcardType supertypeOf(Type bound) {
 
   /**
    * Returns a type that is functionally equal but not necessarily equal according to {@link
-   * Object#equals(Object) Object.equals()}. The returned type is {@link java.io.Serializable}.
+   * Object#equals(Object) Object.equals()}.
    */
   public static Type canonicalize(Type type) {
     if (type instanceof Class) {
@@ -506,18 +505,11 @@ public static boolean requiresOwnerType(Type rawType) {
     return false;
   }
 
-  // Here and below we put @SuppressWarnings("serial") on fields of type `Type`. Recent Java
-  // compilers complain that the declared type is not Serializable. But in this context we go out of
-  // our way to ensure that the Type in question is either Class (which is serializable) or one of
-  // the nested Type implementations here (which are also serializable).
-  private static final class ParameterizedTypeImpl implements ParameterizedType, Serializable {
-    @SuppressWarnings("serial")
+  private static final class ParameterizedTypeImpl implements ParameterizedType {
     private final Type ownerType;
 
-    @SuppressWarnings("serial")
     private final Type rawType;
 
-    @SuppressWarnings("serial")
     private final Type[] typeArguments;
 
     ParameterizedTypeImpl(Type ownerType, Class<?> rawType, Type... typeArguments) {
@@ -584,12 +576,9 @@ public String toString() {
       }
       return stringBuilder.append(">").toString();
     }
-
-    private static final long serialVersionUID = 0;
   }
 
-  private static final class GenericArrayTypeImpl implements GenericArrayType, Serializable {
-    @SuppressWarnings("serial")
+  private static final class GenericArrayTypeImpl implements GenericArrayType {
     private final Type componentType;
 
     GenericArrayTypeImpl(Type componentType) {
@@ -616,8 +605,6 @@ public int hashCode() {
     public String toString() {
       return typeToString(componentType) + "[]";
     }
-
-    private static final long serialVersionUID = 0;
   }
 
   /**
@@ -626,11 +613,9 @@ public String toString() {
    * https://bugs.openjdk.java.net/browse/JDK-8250660. If a lower bound is set, the upper bound must
    * be Object.class.
    */
-  private static final class WildcardTypeImpl implements WildcardType, Serializable {
-    @SuppressWarnings("serial")
+  private static final class WildcardTypeImpl implements WildcardType {
     private final Type upperBound;
 
-    @SuppressWarnings("serial")
     private final Type lowerBound;
 
     WildcardTypeImpl(Type[] upperBounds, Type[] lowerBounds) {
@@ -690,7 +675,5 @@ public String toString() {
         return "? extends " + typeToString(upperBound);
       }
     }
-
-    private static final long serialVersionUID = 0;
   }
 }
