...
This compliant solution adds a custom readResolve() method that replaces the deserialized instance with a reference to the appropriate singleton from the current execution. More complicated cases may also require custom writeObject() or readObject() methods in addition to (or instead of) the custom readResolve() method. Note that the custom serialization methods must be declared final to prevent a malicious subclass from overriding them.
More information on correctly handling singleton classes is available in the rule MSC11-J. Address the shortcomings of the Singleton design pattern.
...
Any input validation performed in the constructors must also be implemented at all places where an object can be deserialized. This compliant solution performs field-by-field validation by reading all fields of the object using the readFields() and getField() methods method and ObjectInputStream.GetField constructor. The value for each field must be fully validated before it is assigned to the object under construction. For more complicated invariants, this may require reading multiple field values into local variables to enable checks that depend on combinations of field values.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="23eb28893e132947-fdb85dd8-4185422c-9cf1b6c0-81493e9b6db0ced58bc5bbee"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 502 | http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data" | ]]></ac:plain-text-body></ac:structured-macro> |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a6ca30937f91c55-8554142c-41c64a9d-9105b4df-3f8028c11c86bf67ddd468d0"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bafb695b858306e0-265b4f19-4da0415b-8f38a14e-b264bae3d6f18dc7d8dac795"><ac:plain-text-body><![CDATA[ | [[Bloch 2008 | AA. Bibliography#Bloch 08]] | Item 75: "Consider using a custom serialized form" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1bd2c3927cff3c7a-446780f7-4c6944c5-a20e809e-9dc8ac39470b001c7837275b"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. Bibliography#Greanier 00]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="94e93f0ac4934cb6-a20c1d8b-49cd4b23-bf5690fa-7c464c63e20f5d0c4c94b095"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] | Chapter 11: Object Serialization, Validation | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c25b0414ac9ae47b-6d1fe945-451547e2-83c68446-7c9d4b196a068a35accef56f"><ac:plain-text-body><![CDATA[ | [[Hawtin 2008 | AA. Bibliography#Hawtin 08]] | Antipattern 8: Believing deserialisation is unrelated to construction | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3b7f7899059ca912-30ac03ea-445b41cc-9319ab62-18ee9a6d60c7b96c240fa79d"><ac:plain-text-body><![CDATA[ | [[SCG 2007 | AA. Bibliography#SCG 07]] | Guideline 5-2 View deserialization the same as object construction | ]]></ac:plain-text-body></ac:structured-macro> |
...