...
| Wiki Markup |
|---|
Serialization can also be used maliciously, to return multiple instances of a singleton-like class. In this noncompliant code example, a subclass {{SensitiveClass}} inadvertently becomes serializable as it extends the {{Exception}} class that implements {{Serializable}}. (Based on \[[Bloch 2005|AA. JavaBibliography#Bloch References#Bloch 05]\]) |
| Code Block | ||
|---|---|---|
| ||
public class SensitiveClass extends Exception {
public static final SensitiveClass INSTANCE = new SensitiveClass();
private SensitiveClass() {
// Perform security checks and parameter validation
}
protected int printBalance() {
int balance = 1000;
return balance;
}
}
class Malicious {
public static void main(String[] args) {
SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE);
System.out.println(sc == SensitiveClass.INSTANCE); // Prints false; indicates new instance
System.out.println("Balance = " + sc.printBalance());
}
// This method should not be used in production quality code
static public Object deepCopy(Object obj) {
try {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
new ObjectOutputStream(bos).writeObject(obj);
ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray());
return new ObjectInputStream(bin).readObject();
} catch (Exception e) {
throw new IllegalArgumentException(e);
}
}
}
|
...
| Wiki Markup |
|---|
\[[JLS 2005|AA. JavaBibliography#JLS References#JLS 05]\] [Transient modifier|http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] \[[SCG 2007|AA. Java References#SCGBibliography#SCG 07]\] Guideline 5-1 Guard sensitive data during serialization \[[Sun 2006|AA. Java References#SunBibliography#Sun 06]\] "Serialization specification: A.4 Preventing Serialization of Sensitive Data" \[[Harold 1999|AA. Java References#HaroldBibliography#Harold 99]\] \[[Long 2005|AA. JavaBibliography#Long References#Long 05]\] Section 2.4, Serialization \[[Greanier 2000|AA. JavaBibliography#Greanier References#Greanier 00]\] [Discover the secrets of the Java Serialization API|http://java.sun.com/developer/technicalArticles/Programming/serialization/] \[[Bloch 2005|AA. Java References#BlochBibliography#Bloch 05]\] Puzzle 83: Dyslexic Monotheism \[[Bloch 2001|AA. Java References#BlochBibliography#Bloch 01]\] Item 1: Enforce the singleton property with a private constructor \[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 502|http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data", [CWE ID 499|http://cwe.mitre.org/data/definitions/499.html] "Serializable Class Containing Sensitive Data" |
...