Implement BanSerializableRead in Android Lint.

PiperOrigin-RevId: 450680744

Author: chaoren

core/src/main/java/com/google/errorprone/bugpatterns/BanSerializableRead.java

@@ -16,6 +16,7 @@
 
 package com.google.errorprone.bugpatterns;
 
+import static com.google.errorprone.bugpatterns.SerializableReads.BANNED_OBJECT_INPUT_STREAM_METHODS;
 import static com.google.errorprone.matchers.Matchers.allOf;
 import static com.google.errorprone.matchers.Matchers.anyOf;
 import static com.google.errorprone.matchers.Matchers.enclosingClass;
@@ -25,7 +26,6 @@
 import static com.google.errorprone.matchers.Matchers.methodIsNamed;
 import static com.google.errorprone.matchers.Matchers.not;
 
-import com.google.common.collect.ImmutableSet;
 import com.google.errorprone.BugPattern;
 import com.google.errorprone.BugPattern.SeverityLevel;
 import com.google.errorprone.VisitorState;
@@ -41,28 +41,6 @@
     severity = SeverityLevel.ERROR)
 public final class BanSerializableRead extends BugChecker implements MethodInvocationTreeMatcher {
 
-  private static final ImmutableSet<String> BANNED_OBJECT_INPUT_STREAM_METHODS =
-      ImmutableSet.of(
-          // Prevent reading objects unsafely into memory
-          "readObject",
-
-          // This is the same, the default value
-          "defaultReadObject",
-
-          // This is for trusted subclasses
-          "readObjectOverride",
-
-          // Ultimately, a lot of the safety worries come
-          // from being able to construct arbitrary classes via
-          // reading in class descriptors. I don't think anyone
-          // will bother calling this directly, but I don't see
-          // any reason not to block it.
-          "readClassDescriptor",
-
-          // These are basically the same as above
-          "resolveClass",
-          "resolveObject");
-
   private static final Matcher<ExpressionTree> EXEMPT =
       anyOf(
           //  This is called through ObjectInputStream; a call further up the callstack will have

core/src/main/java/com/google/errorprone/bugpatterns/SerializableReads.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2022 The Error Prone Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.errorprone.bugpatterns;
+
+import com.google.common.collect.ImmutableSet;
+
+/** List of banned methods for {@link BanSerializableRead}. */
+public final class SerializableReads {
+  private SerializableReads() {}
+
+  public static final ImmutableSet<String> BANNED_OBJECT_INPUT_STREAM_METHODS =
+      ImmutableSet.of(
+          // Prevent reading objects unsafely into memory.
+          "readObject",
+
+          // This is the same, the default value.
+          "defaultReadObject",
+
+          // This is for trusted subclasses.
+          "readObjectOverride",
+
+          // Ultimately, a lot of the safety worries come from being able to construct arbitrary
+          // classes via reading in class descriptors. I don't think anyone will bother calling this
+          // directly, but I don't see  any reason not to block it.
+          "readClassDescriptor",
+
+          // These are basically the same as above.
+          "resolveClass",
+          "resolveObject");
+}