Defensively copy array returned from forAnnotations

philwebb · philwebb · commit cb7f99796266 · 2019-03-25T07:53:42.000-07:00
Update the proxy used in `AnnotatedElementUtils.forAnnotations` so that it returns a cloned array for calls to `getDeclaredAnnotations` or `getAnnotations`. This matches the behavior of standard JDK `AnnotatedElement` implementations. Closes gh-22655
diff --git a/spring-core/src/main/java/org/springframework/core/annotation/AnnotatedElementUtils.java b/spring-core/src/main/java/org/springframework/core/annotation/AnnotatedElementUtils.java
@@ -864,12 +864,12 @@ public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {
 
 		@Override
 		public Annotation[] getAnnotations() {
-			return this.annotations;
+			return this.annotations.clone();
 		}
 
 		@Override
 		public Annotation[] getDeclaredAnnotations() {
-			return this.annotations;
+			return this.annotations.clone();
 		}
 
 	};
diff --git a/spring-core/src/test/java/org/springframework/core/annotation/AnnotatedElementUtilsTests.java b/spring-core/src/test/java/org/springframework/core/annotation/AnnotatedElementUtilsTests.java
@@ -23,9 +23,7 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 import java.lang.reflect.AnnotatedElement;
-import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
-import java.util.Date;
 import java.util.List;
 import java.util.Set;
 import javax.annotation.Resource;
@@ -43,6 +41,7 @@
 
 import static java.util.Arrays.*;
 import static java.util.stream.Collectors.*;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
 import static org.springframework.core.annotation.AnnotatedElementUtils.*;
@@ -736,6 +735,15 @@ public void findMethodAnnotationFromGenericSuperclass() throws Exception {
 		assertNotNull(order);
 	}
 
+	@Test // gh-22655
+	public void forAnnotationsCreatesCopyOfArrayOnEachCall() {
+		AnnotatedElement element = AnnotatedElementUtils.forAnnotations(ForAnnotationsClass.class.getDeclaredAnnotations());
+		// Trigger the NPE as originally reported in the bug
+		AnnotationsScanner.getDeclaredAnnotations(element, false);
+		AnnotationsScanner.getDeclaredAnnotations(element, false);
+		// Also specifically test we get different instances
+		assertThat(element.getDeclaredAnnotations()).isNotSameAs(element.getDeclaredAnnotations());
+	}
 
 	// -------------------------------------------------------------------------
 
@@ -1301,4 +1309,10 @@ public void doIt() {
 		}
 	}
 
+	@Deprecated
+	@ComponentScan
+	class ForAnnotationsClass {
+
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -864,12 +864,12 @@ public <T extends Annotation> T getAnnotation(Class<T> annotationClass) {`
`864`	`864`
`865`	`865`	`@Override`
`866`	`866`	`public Annotation[] getAnnotations() {`
`867`		`- return this.annotations;`
	`867`	`+ return this.annotations.clone();`
`868`	`868`	`}`
`869`	`869`
`870`	`870`	`@Override`
`871`	`871`	`public Annotation[] getDeclaredAnnotations() {`
`872`		`- return this.annotations;`
	`872`	`+ return this.annotations.clone();`
`873`	`873`	`}`
`874`	`874`
`875`	`875`	`};`