SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 7

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
final class BadSer implements Serializable { 	
  File f;
  public BadSer() throws FileNotFoundException {
    f  = new File(""c:\\filepath\\filename"");
  }	 
}

Compliant Soluton

This compliant solution shows a final class Ser that does not implement java.io.Serializable. Consequently, the File object cannot be serialized.

Code Block
bgColor#ccccff
final class Ser { 	
  File f;
  public BadSer() throws FileNotFoundException {
    f  = new File(""c:\\filepath\\filename"");
  }	 
}

Compliant Solution

This compliant solution declares the File object transient. Consequently, the file path is not exposed.

Code Block
bgColor#ccccff
final class Ser implements Serializable { 	
  transient File f;
  public BadSer() throws FileNotFoundException {
    f  = new File(""c:\\filepath\\filename"");
  }	 
}

Risk Assessment

Deserializing direct handles to system resources can allow the modification of the resources being referred to.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Sun 06|AA. Java References#Sun 06]\] ""Serialization specification""

...

SER37-J. Do not deserialize from a privileged context            14. Serialization (SER)            14. Serialization (SER)