SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 58

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 59

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Other solutions include using custom implementation of writeObject(), writeReplace() and writeExternal() methods so that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while deserializing. Yet another remedy is to define the serialPersistentFields array field and ensure that sensitive fields are not added to the array. (See guideline SER00-J. Maintain serialization compatibility during class evolution.) . Sometimes it is necessary to prevent a serializable object (whose superclass implements Serializable) from being serialized. This is the focus of the second noncompliant code example.

...

Wiki Markup
Serialization can also be used maliciously, to return multiple instances of a singleton-like class. In this noncompliant code example, a subclass {{SensitiveClass}} inadvertently becomes serializable as it extends the {{Exception}} class that implements {{Serializable}}. (BasedThis is based on \[[Bloch 2005|AA. Bibliography#Bloch 05]\].)

Code Block
bgColor#FFcccc
public class SensitiveClass extends Exception {
  public static final SensitiveClass INSTANCE = new SensitiveClass();
  private SensitiveClass() {
    // Perform security checks and parameter validation
  }

  protected int printBalance() {
    int balance = 1000;
    return balance;
  }
}

class Malicious {
  public static void main(String[] args) {
    SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE);
    System.out.println(sc == SensitiveClass.INSTANCE);  // Prints false; indicates new instance
    System.out.println("Balance = " + sc.printBalance());
  }

  // This method should not be used in production quality code
  static public Object deepCopy(Object obj) {
    try {
      ByteArrayOutputStream bos = new ByteArrayOutputStream();
       new ObjectOutputStream(bos).writeObject(obj);
      ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray());
      return new ObjectInputStream(bin).readObject();
    } catch (Exception e) { 
      throw new IllegalArgumentException(e);
    }
  }
}

...

If sensitive data can be serialized, it may be transmitted over an insecure link, or stored in an insecure medium, or disclosed inappropriately.

Rule Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SER03-J

medium

likely

high

P6

L2

...