SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 23

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 24

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: still need to check details of private-ness

The serialization and deserialization mechanism must respect the accessibility of the implementing class. Untrusted code should not be able to write must be prevented both from writing to the stream using the writeObject() method nor should it be able to create and also from creating an instance of the an object by calling the readObject() method. The accessibility of these For classes that have constructors, the accessibility of the readObject() and writeObject() methods must match with the accessibility of the class constructor (if any); otherwise it should be reduced to private. ; these methods must be declared private in all other cases.

Serialization may fail to work as expected even when hostile code lacks Even when hostile code does not have access to the serializable class's members, serialization may fail to work as expected. The ObjectInputStream.readObject() and ObjectOutputStream.writeObject() methods are declared final and cannot be overridden. The custom form of serialization involves a mechanism that allows the JVM to detect and use private implementations of the two methods in the serializable class. If the accessibility of the two methods is not private, the default serialization form takes effectThe JVM uses default serialization for all non-private ???. This can be insecure from many standpoints, for instance, input validation checks installed in the custom serialized form may be bypassed.

...

This noncompliant code example shows a class Ser, which has with a private constructor. This means , indicating that code external to the class should be unable to create its instanceinstances of it. The class implements java.io.Serializable and defines the public readObject() and writeObject() methods. The accessibility of both the methods is public which allows Consequently, untrusted code to can obtain the reconstituted object (in case of objects by using readObject()) , and can write to the stream (in case of by using writeObject()).

Code Block
bgColor#FFcccc
public class Ser implements Serializable {
  private final long serialVersionUID = 123456789;
  private Ser() {
    // initialize
  }
  public static void writeObject(final ObjectOutputStream stream) throws IOException {
    stream.defaultWriteObject();
  }
	
  public static void readObject(final ObjectInputStream stream) throws 
      IOException, ClassNotFoundException {
    stream.defaultReadObject();
  }
}

Similarly, omission of omitting the static keyword does not is insufficient to make this example secure because ; the JVM will fail to detect the two methods will not be detected by the JVM, resulting in failure to use the custom serialized form.

...

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SER01-J

high

likely

low

P27

L1

Automated Detection

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...