Add Notice JSON serialize/deserialize API with round-trip test#127
Add Notice JSON serialize/deserialize API with round-trip test#127
Conversation
Summary of ChangesHello @vLuckyyy, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 596f580fa0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| for (Map.Entry<String, JsonElement> entry : root.entrySet()) { | ||
| String key = entry.getKey(); | ||
| NoticeSerdesResult result = toSerdesResult(key, entry.getValue()); | ||
| Optional<NoticeDeserializeResult<?>> deserialized = noticeRegistry.deserialize(key, result); |
There was a problem hiding this comment.
When deserializing arbitrary JSON, this line calls noticeRegistry.deserialize(key, result) before validating that key is registered; for unknown keys, NoticeResolverRegistry.deserialize dereferences a null resolver set and throws a NullPointerException, so the intended IllegalArgumentException("Unsupported notice key") path is never reached. Any typo or extra field in input JSON will crash deserialization with an opaque NPE instead of a controlled validation error.
Useful? React with 👍 / 👎.
| if (result instanceof NoticeSerdesResult.Empty) { | ||
| return JsonNull.INSTANCE; | ||
| } |
There was a problem hiding this comment.
Serializing NoticeSerdesResult.Empty as JSON null causes round-trip failure for valid notices with empty chat content (e.g., Notice.builder().chat(List.of()).build()): deserialization maps null back to Empty, ChatResolver.deserialize returns Optional.empty(), and the codec then throws Unsupported notice key. This means the new serialize/deserialize API cannot reliably restore all notices it can serialize.
Useful? React with 👍 / 👎.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces JSON serialization and deserialization for Notice objects. While this is a great addition, a potential Denial of Service vulnerability was identified. The deserialization process is susceptible to a NullPointerException when encountering unknown keys in the input JSON, due to a bug in the underlying NoticeResolverRegistry. This could be exploited by an attacker providing malformed JSON to crash the application or the thread processing the notice. Additionally, there are suggestions in NoticeJsonCodec.java to leverage modern Java 17 features like switch expressions and streams for improved code conciseness and maintainability.
| for (Map.Entry<String, JsonElement> entry : root.entrySet()) { | ||
| String key = entry.getKey(); | ||
| NoticeSerdesResult result = toSerdesResult(key, entry.getValue()); | ||
| Optional<NoticeDeserializeResult<?>> deserialized = noticeRegistry.deserialize(key, result); |
There was a problem hiding this comment.
The deserialize method calls noticeRegistry.deserialize(key, result), which can lead to a NullPointerException if the key provided in the JSON is not registered in the noticeRegistry. This is because NoticeResolverRegistry.deserialize (line 37 in the context file) does not check if the returned set of resolvers is null before iterating over it. An attacker can provide a malicious JSON string with an unknown key to cause the application to throw an unhandled exception, potentially leading to a Denial of Service (DoS) if the exception is not caught by the caller.
| private static JsonElement toJsonElement(NoticeSerdesResult result) { | ||
| if (result instanceof NoticeSerdesResult.Single single) { | ||
| return new JsonPrimitive(single.element()); | ||
| } | ||
|
|
||
| if (result instanceof NoticeSerdesResult.Multiple multiple) { | ||
| JsonArray array = new JsonArray(); | ||
| for (String element : multiple.elements()) { | ||
| array.add(element); | ||
| } | ||
| return array; | ||
| } | ||
|
|
||
| if (result instanceof NoticeSerdesResult.Section section) { | ||
| JsonObject object = new JsonObject(); | ||
| for (Map.Entry<String, String> sectionEntry : section.elements().entrySet()) { | ||
| object.addProperty(sectionEntry.getKey(), sectionEntry.getValue()); | ||
| } | ||
| return object; | ||
| } | ||
|
|
||
| if (result instanceof NoticeSerdesResult.Empty) { | ||
| return JsonNull.INSTANCE; | ||
| } | ||
|
|
||
| throw new IllegalArgumentException("Unsupported result type: " + result.getClass().getName()); | ||
| } |
There was a problem hiding this comment.
The if-instanceof chain can be replaced with a switch expression. Since NoticeSerdesResult is a sealed interface and the project uses Java 17, a switch expression is more concise and provides compile-time safety for exhaustiveness.
private static JsonElement toJsonElement(NoticeSerdesResult result) {
return switch (result) {
case NoticeSerdesResult.Single single -> new JsonPrimitive(single.element());
case NoticeSerdesResult.Multiple multiple -> {
JsonArray array = new JsonArray();
multiple.elements().forEach(array::add);
yield array;
}
case NoticeSerdesResult.Section section -> {
JsonObject object = new JsonObject();
section.elements().forEach(object::addProperty);
yield object;
}
case NoticeSerdesResult.Empty empty -> JsonNull.INSTANCE;
};
}| private static List<String> toStringList(String key, JsonArray jsonArray) { | ||
| List<String> values = new ArrayList<>(); | ||
| for (JsonElement jsonElement : jsonArray) { | ||
| if (!jsonElement.isJsonPrimitive() || !jsonElement.getAsJsonPrimitive().isString()) { | ||
| throw new JsonParseException("All array elements for key '" + key + "' must be strings"); | ||
| } | ||
| values.add(jsonElement.getAsString()); | ||
| } | ||
| return values; | ||
| } |
There was a problem hiding this comment.
This method can be simplified by using Java Streams. This would make the code more declarative and potentially more readable.
private static List<String> toStringList(String key, JsonArray jsonArray) {
return jsonArray.asList().stream()
.map(jsonElement -> {
if (!jsonElement.isJsonPrimitive() || !jsonElement.getAsJsonPrimitive().isString()) {
throw new JsonParseException("All array elements for key '" + key + "' must be strings");
}
return jsonElement.getAsString();
})
.toList();
}| private static Map<String, String> toStringMap(String key, JsonObject jsonObject) { | ||
| Map<String, String> values = new LinkedHashMap<>(); | ||
| for (Map.Entry<String, JsonElement> jsonEntry : jsonObject.entrySet()) { | ||
| JsonElement jsonElement = jsonEntry.getValue(); | ||
| if (!jsonElement.isJsonPrimitive() || !jsonElement.getAsJsonPrimitive().isString()) { | ||
| throw new JsonParseException("All object values for key '" + key + "' must be strings"); | ||
| } | ||
| values.put(jsonEntry.getKey(), jsonElement.getAsString()); | ||
| } | ||
| return values; | ||
| } |
There was a problem hiding this comment.
This method can be refactored to use Java Streams and Collectors.toMap for a more functional and concise implementation. This maintains the use of LinkedHashMap to preserve insertion order.
private static Map<String, String> toStringMap(String key, JsonObject jsonObject) {
return jsonObject.entrySet().stream()
.collect(java.util.stream.Collectors.toMap(
Map.Entry::getKey,
entry -> {
JsonElement jsonElement = entry.getValue();
if (!jsonElement.isJsonPrimitive() || !jsonElement.getAsJsonPrimitive().isString()) {
throw new JsonParseException("All object values for key '" + key + "' must be strings");
}
return jsonElement.getAsString();
},
(v1, v2) -> v2,
LinkedHashMap::new
));
}1 participant
No description provided.