SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 52

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 53

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule is an instance of OBJ06-J. Defensively copy mutable inputs and mutable internal components. Whereas that rule applies to constructors , and to other methods that accept untrusted mutable arguments, this rule applies the same principle to deserialized mutable fields.

...

This noncompliant code example fails to defensively copy the mutable Date object date. An attacker might be able to create an instance of MutableSer whose date object contains a nefarious subclass of Date and whose methods can perform actions specified by an attacker. Any code that depends on the immutability of the sub-object subobject is vulnerable.

Code Block
bgColor#FFcccc
class MutableSer implements Serializable {
  private static final Date epoch = new Date(0);
  private Date date = null; // Mutable component
  
  public MutableSer(Date d){
    date = new Date(d.getTime()); // Constructor performs defensive copying
  }

  private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    ois.defaultReadObject();
    // Perform validation if necessary
  }
}

...

Wiki Markup
There is no need to copy immutable sub-objectssubobjects. Also, avoid using the sub-objectsubobject's {{clone()}} method because it can be overridden when the sub-objectsubobject's class is non-final and produces only a shallow copy. The sub-objectssubobjects ({{date}}) themselves must be non-final so that defensive copying can occur. It is also inadvisable to use the {{writeUnshared()}} and {{readUnshared()}} methods as an alternative \[[Bloch 2008|AA. Bibliography#Bloch 08]\].

...

Related Guidelines

MITRE CWE

CWE ID -502, "Deserialization of Untrusted Data"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="92f7f3b9cce431df-aff609c7-48e6406b-97a0a97a-eb2312f2ffa9ddfb05c453c5"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d186ee8cdbc9b171-1b9e653a-487a4363-922195de-18b4db96dbd21ff08c801631"><ac:plain-text-body><![CDATA[

[[Bloch 2008

AA. Bibliography#Bloch 08]]

Item 76: "Write readObject methods defensively"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="336e0488dfecf1c1-c052c54c-40874f84-b32b8a20-b3c3e31d37507cd135f816a8"><ac:plain-text-body><![CDATA[

[[Sun 2006

AA. Bibliography#Sun 06]]

"Serialization specification: A.6 Guarding Unshared Deserialized Objects"

]]></ac:plain-text-body></ac:structured-macro>

...