SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 31

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Object serialization allows is the process of saving an object's state as a sequence of bytes and its reconstitution at a later time; deserialization is the process rebuilding the object from those bytes. The primary application of serialization is in Java Remote Method Invocation (RMI) wherein objects must be are packed (marshalled), exchanged between distributed virtual machines, and unpacked (unmarshalled). It also finds extensive use in Java Beans.

After Once a serializable class is has been exported, attempts to refactor future refactoring of its code can become burdensomeoften becomes problematic. Specifically, the old existing serialized form forms (encoded representation) must be continually supported as it is representations) become part of the object's published API and must be supported for an indefinite period. This can be troublesome from a security perspective, as it ; not only promotes does it promote dead code but , it also burdens commits the provider who has to eternally maintain the existing potentially eternally maintenance of a compatible codebase.

When a class implements Classes that implement Serializable and does not fail to override its functionality , it is are said to be using the default serialized form. If In the class event of future changes in to the futureclass, any byte stream streams produced by users of old versions of the old class will not be compatible incompatible with the new implementation. Moving to . Programs must maintain serialization compatibility during class evolution. An acceptable approach is the use of a custom serialized form releases , which relieves the implementer from of the trap of having necessity to maintain the original serialized form as well as and the corresponding version of the class in addition to the newly evolved version.

Noncompliant Code Example

...

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SER00-J

low

probable

high

P2

L3

Automated Detection

TODOAutomated detection of classes that use the default serialized form is straightforward.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...