SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 8

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFcccc
final class BadSer implements Serializable { 	
  File f;
  public BadSer() throws FileNotFoundException {
    f  = new File(""c:\\filepath\\filename"");
  }	 
}

Compliant Soluton

This compliant solution shows a final class Ser that does not implement java.io.Serializable. Consequently, the File object cannot be serialized.

Code Block
bgColor#ccccff
final class Ser { 	
  File f;
  public BadSer() throws FileNotFoundException {
    f  = new File(""c:\\filepath\\filename"");
  }	 
}

Compliant Solution

This compliant solution declares the File object transient. Consequently, the file path is not exposed.

Code Block
bgColor#ccccff
final class Ser implements Serializable { 	
  transient File f;
  public BadSer() throws FileNotFoundException {
    f  = new File(""c:\\filepath\\filename"");
  }	 
}

Risk Assessment

Deserializing direct handles to system resources can allow the modification of the resources being referred to.

...

Wiki Markup
\[[Sun 06|AA. Java References#Sun 06]\] ""Serialization specification""

...

SER37-J. Do not deserialize from a privileged context            14. Serialization (SER)      14. Serialization (SER)      SER39-J. Do not invoke overridable methods from the readObject method