Page History

...

Noncompliant Code Example (Singleton)

Wiki MarkupIn this noncompliant code example \ [[Bloch 2005|AA. References#Bloch 05]\], a class with singleton semantics uses the default serialized form, which fails to enforce any implementation-defined invariants. Consequently, malicious code can create a second instance even though the class should have only a single instance. For purposes of this example, we assume that the class contains only nonsensitive data.

Code Block

bgColor	#FFcccc

public class NumberData extends Number {
  // ...implement abstract Number methods, like Number.doubleValue()...

  private static final NumberData INSTANCE = new NumberData ();
  public static NumberData getInstance() {
    return INSTANCE;
  }

  private NumberData() {
    // Perform security checks and parameter validation
  }

  protected int printData() {
    int data = 1000;
    // print data
    return data;
  }
}

class Malicious {
  public static void main(String[] args) {
    NumberData sc = (NumberData) deepCopy(NumberData.getInstance());
    // Prints false; indicates new instance
    System.out.println(sc == NumberData.getInstance());  
    System.out.println("Balance = " + sc.printData());
  }

  // This method should not be used in production code
  public static Object deepCopy(Object obj) {
    try {
      ByteArrayOutputStream bos = new ByteArrayOutputStream();
      new ObjectOutputStream(bos).writeObject(obj);
      ByteArrayInputStream bin =
          new ByteArrayInputStream(bos.toByteArray());
      return new ObjectInputStream(bin).readObject();
    } catch (Exception e) { 
      throw new IllegalArgumentException(e);
    }
  }
}

...

MITRE CWE	CWE-502, "Deserialization of Untrusted Data"
Secure Coding Guidelines for the Java Programming Language, Version 3.0	Guideline 5-3. View deserialization the same as object construction

Bibliography

...

[ [API 2006AA. References#API 06]]
Class `Object`, Class `Hashtable`
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a924585-fb8c-4ec1-93f5-c82005bca5bf"><ac:plain-text-body><![CDATA[
[ [Bloch 2008AA. References#Bloch 08]]
Item 75, Consider using a custom serialized form
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4738f024-b4ca-4f0d-8352-c175bedb7623"><ac:plain-text-body><![CDATA [ [[Greanier 2000AA. References#Greanier 00] ]

]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e17d555e-d8fc-4b40-959d-0f85a8789d14"><ac:plain-text-body><! [CDATA[ [[Harold 1999AA. References#Harold 99] ]
Chapter 11, Object Serialization, Validation
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f9fb099b-0a70-44ab-9b72-d12d2d22d3a8"><ac:plain-text-body><![CDATA[
[ [Hawtin 2008AA. References#Hawtin 08]]
Antipattern 8. Believing deserialisation is unrelated to construction ]]></ac:plain-text-body></ac:structured-macro>
...
13. Serialization (SER)

Space shortcuts

Page tree

Versions Compared

Old Version 71

New Version 72

Key

Noncompliant Code Example (Singleton)

Bibliography

[ [API 2006AA. References#API 06]]	Class `Object`, Class `Hashtable`	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a924585-fb8c-4ec1-93f5-c82005bca5bf"><ac:plain-text-body><![CDATA[	[ [Bloch 2008AA. References#Bloch 08]]	Item 75, Consider using a custom serialized form	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4738f024-b4ca-4f0d-8352-c175bedb7623"><ac:plain-text-body><![CDATA [ [[Greanier 2000AA. References#Greanier 00] ]		]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e17d555e-d8fc-4b40-959d-0f85a8789d14"><ac:plain-text-body><! [CDATA[ [[Harold 1999AA. References#Harold 99] ]	Chapter 11, Object Serialization, Validation	]]></ac:plain-text-body></ac:structured-macro>	<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f9fb099b-0a70-44ab-9b72-d12d2d22d3a8"><ac:plain-text-body><![CDATA[
[ [Hawtin 2008AA. References#Hawtin 08]]	Antipattern 8. Believing deserialisation is unrelated to construction ]]></ac:plain-text-body></ac:structured-macro>