Prevent Kotlin Serialization codecs side effects

This commit updates Kotlin serialization codecs to perform
an additional check invoking
KotlinDetector#hasSerializableAnnotation to decide if the
related type should be processed or not.

The goal is to prevent in the default arrangement conflicts
between general purpose codecs like Jackson and
Kotlin serialization when both are used.

New constructors allowing to specify a custom predicate
are also introduced.

See gh-35761

Author: sdeleuze

spring-web/src/main/java/org/springframework/http/codec/KotlinSerializationBinaryDecoder.java

@@ -18,6 +18,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.function.Predicate;
 
 import kotlinx.serialization.BinaryFormat;
 import kotlinx.serialization.KSerializer;
@@ -37,9 +38,11 @@
  * Abstract base class for {@link Decoder} implementations that defer to Kotlin
  * {@linkplain BinaryFormat binary serializers}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only decodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose decoders without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Sebastien Deleuze
  * @author Iain Henderson
@@ -54,10 +57,26 @@ public abstract class KotlinSerializationBinaryDecoder<T extends BinaryFormat> e
 	private final ByteArrayDecoder byteArrayDecoder = new ByteArrayDecoder();
 
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only decodes types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
+	 */
 	public KotlinSerializationBinaryDecoder(T format, MimeType... supportedMimeTypes) {
 		super(format, supportedMimeTypes);
 	}
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only decodes types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationBinaryDecoder(T format, Predicate<ResolvableType> typePredicate, MimeType... supportedMimeTypes) {
+		super(format, typePredicate, supportedMimeTypes);
+	}
+
 	/**
 	 * Configure a limit on the number of bytes that can be buffered whenever
 	 * the input stream needs to be aggregated. This can be a result of

spring-web/src/main/java/org/springframework/http/codec/KotlinSerializationBinaryEncoder.java

@@ -18,6 +18,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.function.Predicate;
 
 import kotlinx.serialization.BinaryFormat;
 import kotlinx.serialization.KSerializer;
@@ -38,9 +39,11 @@
  * Abstract base class for {@link Encoder} implementations that defer to Kotlin
  * {@linkplain BinaryFormat binary serializers}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only encodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose encoders without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Sebastien Deleuze
  * @author Iain Henderson
@@ -54,10 +57,26 @@ public abstract class KotlinSerializationBinaryEncoder<T extends BinaryFormat> e
 	// ByteArraySequence encoding needed for now, see https://github.com/Kotlin/kotlinx.serialization/issues/204 for more details
 	private final ByteArrayEncoder byteArrayEncoder = new ByteArrayEncoder();
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only encodes types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
+	 */
 	protected KotlinSerializationBinaryEncoder(T format, MimeType... supportedMimeTypes) {
 		super(format, supportedMimeTypes);
 	}
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only encodes types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	protected KotlinSerializationBinaryEncoder(T format, Predicate<ResolvableType> typePredicate, MimeType... supportedMimeTypes) {
+		super(format, typePredicate, supportedMimeTypes);
+	}
+
 	@Override
 	public boolean canEncode(ResolvableType elementType, @Nullable MimeType mimeType) {
 		return canSerialize(elementType, mimeType);

spring-web/src/main/java/org/springframework/http/codec/KotlinSerializationStringDecoder.java

@@ -18,6 +18,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.function.Predicate;
 
 import kotlinx.serialization.KSerializer;
 import kotlinx.serialization.StringFormat;
@@ -38,9 +39,11 @@
  * Abstract base class for {@link Decoder} implementations that defer to Kotlin
  * {@linkplain StringFormat string serializers}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only decodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose decoders without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Sebastien Deleuze
  * @author Iain Henderson
@@ -55,10 +58,26 @@ public abstract class KotlinSerializationStringDecoder<T extends StringFormat> e
 	private final StringDecoder stringDecoder = StringDecoder.allMimeTypes(StringDecoder.DEFAULT_DELIMITERS, false);
 
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only decodes types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
+	 */
 	public KotlinSerializationStringDecoder(T format, MimeType... supportedMimeTypes) {
 		super(format, supportedMimeTypes);
 	}
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only decodes types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationStringDecoder(T format, Predicate<ResolvableType> typePredicate, MimeType... supportedMimeTypes) {
+		super(format, typePredicate, supportedMimeTypes);
+	}
+
 	/**
 	 * Configure a limit on the number of bytes that can be buffered whenever
 	 * the input stream needs to be aggregated. This can be a result of

spring-web/src/main/java/org/springframework/http/codec/KotlinSerializationStringEncoder.java

@@ -22,6 +22,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Predicate;
 
 import kotlinx.serialization.KSerializer;
 import kotlinx.serialization.StringFormat;
@@ -43,9 +44,11 @@
  * Abstract base class for {@link Encoder} implementations that defer to Kotlin
  * {@linkplain StringFormat string serializers}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only encodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose encoders without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Sebastien Deleuze
  * @author Iain Henderson
@@ -65,10 +68,27 @@ public abstract class KotlinSerializationStringEncoder<T extends StringFormat> e
 	private final CharSequenceEncoder charSequenceEncoder = CharSequenceEncoder.allMimeTypes();
 	private final Set<MimeType> streamingMediaTypes = new HashSet<>();
 
+
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only encodes types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
+	 */
 	protected KotlinSerializationStringEncoder(T format, MimeType... supportedMimeTypes) {
 		super(format, supportedMimeTypes);
 	}
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only encodes types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	protected KotlinSerializationStringEncoder(T format, Predicate<ResolvableType> typePredicate, MimeType... supportedMimeTypes) {
+		super(format, typePredicate, supportedMimeTypes);
+	}
+
 	/**
 	 * Set streaming {@link MediaType MediaTypes}.
 	 * @param streamingMediaTypes streaming {@link MediaType MediaTypes}

spring-web/src/main/java/org/springframework/http/codec/KotlinSerializationSupport.java

@@ -21,6 +21,7 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Predicate;
 
 import kotlin.reflect.KFunction;
 import kotlin.reflect.KType;
@@ -42,9 +43,11 @@
  * Base class providing support methods for encoding and decoding with Kotlin
  * serialization.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only handles types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose decoders without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Sebastien Deleuze
  * @author Iain Henderson
@@ -63,12 +66,29 @@ public abstract class KotlinSerializationSupport<T extends SerialFormat> {
 
 	private final List<MimeType> supportedMimeTypes;
 
+	private final Predicate<ResolvableType> typePredicate;
+
 	/**
-	 * Creates a new instance of this support class with the given format
-	 * and supported mime types.
+	 * Creates a new instance with the given format and supported mime types
+	 * which only handle types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
 	 */
 	protected KotlinSerializationSupport(T format, MimeType... supportedMimeTypes) {
 		this.format = format;
+		this.typePredicate = KotlinDetector::hasSerializableAnnotation;
+		this.supportedMimeTypes = Arrays.asList(supportedMimeTypes);
+	}
+
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only encode types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	protected KotlinSerializationSupport(T format, Predicate<ResolvableType> typePredicate, MimeType... supportedMimeTypes) {
+		this.format = format;
+		this.typePredicate = typePredicate;
 		this.supportedMimeTypes = Arrays.asList(supportedMimeTypes);
 	}
 
@@ -94,15 +114,10 @@ protected final List<MimeType> supportedMimeTypes() {
 	 * @return {@code true} if {@code type} can be serialized; false otherwise
 	 */
 	protected final boolean canSerialize(ResolvableType type, @Nullable MimeType mimeType) {
-		KSerializer<Object> serializer = serializer(type);
-		if (serializer == null) {
+		if (!this.typePredicate.test(type) || ResolvableType.NONE.equals(type)) {
 			return false;
 		}
-		else {
-			return (supports(mimeType) && !String.class.isAssignableFrom(type.toClass()) &&
-					!ServerSentEvent.class.isAssignableFrom(type.toClass()));
-		}
-
+		return serializer(type) != null && supports(mimeType);
 	}
 
 	private boolean supports(@Nullable MimeType mimeType) {

spring-web/src/main/java/org/springframework/http/codec/cbor/KotlinSerializationCborDecoder.java

@@ -16,8 +16,11 @@
 
 package org.springframework.http.codec.cbor;
 
+import java.util.function.Predicate;
+
 import kotlinx.serialization.cbor.Cbor;
 
+import org.springframework.core.ResolvableType;
 import org.springframework.http.MediaType;
 import org.springframework.http.codec.KotlinSerializationBinaryDecoder;
 
@@ -26,24 +29,62 @@
  * <a href="https://github.com/Kotlin/kotlinx.serialization">kotlinx.serialization</a>.
  * It supports {@code application/cbor}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only decodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics
+ * level since it allows combined usage with other general purpose CBOR decoders
+ * like {@link JacksonCborDecoder} without conflicts.
+ *
+ * <p>Alternative constructors with a {@code Predicate<ResolvableType>}
+ * parameter can be used to customize this behavior. For example,
+ * {@code new KotlinSerializationCborDecoder(type -> true)} will decode all types
+ * supported by Kotlin Serialization, including unannotated Kotlin enumerations,
+ * numbers, characters, booleans and strings.
  *
  * <p>Decoding streams is not supported yet, see
  * <a href="https://github.com/Kotlin/kotlinx.serialization/issues/1073">kotlinx.serialization/issues/1073</a>
  * related issue.
  *
  * @author Iain Henderson
+ * @author Sebastien Deleuze
  * @since 6.0
+ * @see KotlinSerializationCborEncoder
  */
 public class KotlinSerializationCborDecoder extends KotlinSerializationBinaryDecoder<Cbor> {
 
+	/**
+	 * Construct a new decoder using {@link Cbor.Default} instance which
+	 * only decodes types annotated with {@link kotlinx.serialization.Serializable @Serializable}
+	 * at type or generics level.
+	 */
 	public KotlinSerializationCborDecoder() {
 		this(Cbor.Default);
 	}
 
+	/**
+	 * Construct a new decoder using {@link Cbor.Default} instance which
+	 * only decodes types for which the specified predicate returns {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationCborDecoder(Predicate<ResolvableType> typePredicate) {
+		this(Cbor.Default, typePredicate);
+	}
+
+	/**
+	 * Construct a new decoder using the provided {@link Cbor} instance which
+	 * only decodes types annotated with {@link kotlinx.serialization.Serializable @Serializable}
+	 * at type or generics level.
+	 */
 	public KotlinSerializationCborDecoder(Cbor cbor) {
 		super(cbor, MediaType.APPLICATION_CBOR);
 	}
+
+	/**
+	 * Construct a new decoder using the provided {@link Cbor} instance which
+	 * only decodes types for which the specified predicate returns {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationCborDecoder(Cbor cbor, Predicate<ResolvableType> typePredicate) {
+		super(cbor, typePredicate, MediaType.APPLICATION_CBOR);
+	}
+
 }