...
| Code Block | ||
|---|---|---|
| ||
public class Point {
private double x;
private double y;
public Point(double x, double y) {
this.x = x;
this.y = y;
}
public Point() {
// no-argument constructor
}
}
public class Coordinates extends Point implements Serializable {
public static void main(String[] args) {
FileOutputStream fout = null;
try {
Point p = new Point(5, 2);
FileOutputStream fout = new FileOutputStream("point.ser");
ObjectOutputStream oout = new ObjectOutputStream(fout);
oout.writeObject(p);
oout.close();
} catch (Throwable t) {
// Forward to handler
} finally {
fout.close();
}
}
}
|
Compliant Solution
In the absence of sensitive data, classes can be serialized by simply implementing the java.io.Serializable interface. By doing so, the class indicates that no security issues may result from the object's serialization. Note that any derived subclasses also inherit this interface and are consequently serializable. This simple approach is inappropriate for any class that contains sensitive data.
...
| Code Block | ||
|---|---|---|
| ||
public class SensitiveClass extends Exception {
public static final SensitiveClass INSTANCE = new SensitiveClass();
private SensitiveClass() {
// Perform security checks and parameter validation
}
protected int printBalance() {
int balance = 1000;
return balance;
}
}
class Malicious {
public static void main(String[] args) {
SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE);
System.out.println(sc == SensitiveClass.INSTANCE); // Prints false; indicates new instance
System.out.println("Balance = " + sc.printBalance());
}
// This method should not be used in production quality code
static public Object deepCopy(Object obj) {
try {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
new ObjectOutputStream(bos).writeObject(obj);
ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray());
return new ObjectInputStream(bin).readObject();
} catch (Exception e) {
throw new IllegalArgumentException(e);
}
}
}
|
See rule MSC11-J. Address the shortcomings of the Singleton design pattern for more information on singletons.
Compliant Solution
Extending a class or interface that implements Serializable should be avoided whenever possible. When extension of such a class is necessary, undue serialization of the subclass can be prohibited by throwing a NotSerializableException from a custom writeObject() or readResolve() method, defined in the subclass SensitiveClass. Note that the custom writeObject() or readResolve() methods must be declared final to prevent a malicious subclass from overriding them.
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass extends Exception {
// ...
private final Object readResolve() throws NotSerializableException {
throw new NotSerializableException();
}
}
|
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2fa01fb083138b36-13bbe784-4ee04e71-8b50b05f-e00e3bc002ae7ff2a282b8c5"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 502 | http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 499 "Serializable Class Containing Sensitive Data" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a643581d7fd9d2f-c33e583d-44754aa7-9e7da21b-02523beb9bc1a9ff17cd7058"><ac:plain-text-body><![CDATA[ | [[Bloch 2005 | AA. Bibliography#Bloch 05]] | Puzzle 83: Dyslexic Monotheism | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a9d6aad401003fb1-8c85503d-43f94792-a6588d6c-4ca3e6b6b4c90378ca12c34a"><ac:plain-text-body><![CDATA[ | [[Bloch 2001 | AA. Bibliography#Bloch 01]] | Item 1: Enforce the singleton property with a private constructor | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a8d0ae921421dca4-31968bc1-41bf472f-95a29f2f-677790605fca8e3044db65f0"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. Bibliography#Greanier 00]] | [Discover the secrets of the Java Serialization API | http://java.sun.com/developer/technicalArticles/Programming/serialization/] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1bf9996d22bfd2df-a4a5de43-4200443a-b8ba867b-d0bd6f8d7474771fa812b15d"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6375003511369baa-96d35318-451944ff-adee86c3-5d8056e6e174d5278ea8ceb9"><ac:plain-text-body><![CDATA[ | [[JLS 2005 | AA. Bibliography#JLS 05]] | [Transient modifier | http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8b59513dd31fb5cf-be6c5528-474d4c0e-a1429a80-e740d8b33f2c746078aef566"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.4, Serialization | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="24a061468cbcc41c-ab2e7c6d-46ca421e-a5e4b690-e400c9d465766d1c356c6dd6"><ac:plain-text-body><![CDATA[ | [[SCG 2007 | AA. Bibliography#SCG 07]] | Guideline 5-1 Guard sensitive data during serialization | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bddb3106f4a0ea90-d62932a9-455f4ccb-aebb95dd-3a61b563a5d3f0be21acbcfb"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | "Serialization specification: A.4 Preventing Serialization of Sensitive Data" | ]]></ac:plain-text-body></ac:structured-macro> |
...