Page History

Serialization can be used maliciously. Examples include using serialization to maliciously violate the intended invariants of a class. Deserialization is equivalent to object construction; consequently, all invariants enforced during object construction must also be enforced during deserialization. The default serialized form lacks any enforcement of class invariants; consequently, programs must not use the default serialized form for any class with implementation-defined invariants.

The deserialization process creates a new instance of the class without invoking any of the class's constructors. Consequently, any input validation checks present within the constructors are bypassed. Moreover, transient and static fields may fail to reflect their true values because such fields are bypassed during the serialization procedure and consequently cannot be restored from the object stream. As a result, any class with transient fields, and any class that performs validation checks in its constructors, must also perform similar validation checks when being deserialized.

Validating deserialized objects establishes that the object state is within defined limits and ensures that all transient and static fields have their default secure values. Fields that are declared final and contain a constant value will contain the proper value after deserialization , rather than the default value. For example, the value of the field private transient final n = 42 after deserialization will be 42 , rather than 0. Deserialization produces default values for all other cases.

...

This noncompliant code example uses a custom defined readObject() method , but fails to perform input validation after deserialization. The design of the system requires the maximum value of any lottery ticket to be 20,000; however, an attacker can manipulate the serialized array to generate a different number on deserialization.

...

public class Lottery implements Serializable {	
  private transient int ticket = 1;
  private transient SecureRandom draw = new SecureRandom();

  public Lottery(int ticket) {
    this.ticket = (int) (Math.abs(ticket % 20000) + 1);
  }

  public int getTicket() {
    return this.ticket;	
  }

  public int roll() {
    this.ticket = (int) ((Math.abs(draw.nextInt()) % 20000) + 1);
    return this.ticket;
  }

  public static void main(String[] args) {
    Lottery l = new Lottery(2);
    for(int i = 0; i < 10; i++) {
      l.roll();
      System.out.println(l.getTicket());
    }
  }

  private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
    in.defaultReadObject();
    this.draw = new SecureRandom();
    roll();
  }
}

Compliant Solution (Non-

...

Serializable)

This compliant solution simply does not mark the Lottery class serializable.

...

Serializing objects with implementation-defined characteristics can corrupt the state of the object.

...

Related Guidelines

...

...