SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 70

changes.mady.by.user Yitzhak Mandelbaum

Saved on

compared with

New Version 71

changes.mady.by.user Yitzhak Mandelbaum

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example uses a custom-defined readObject() method but fails to perform input validation after deserialization. The design of the system requires the maximum ticket number of any lottery ticket to be 20,000, and the ninimum minimum ticket number be greater than 0. However, an attacker can manipulate the serialized array to generate a different number on deserialization. Such a number could be greater than 20,000, or could be 0 or negative.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="890fd989b4cbbb40-49786bda-4b5a4197-9ec3b7d2-ec0cded638d3f270d0a26d60"><ac:plain-text-body><![CDATA[

[[API 2006

AA. References#API 06]]

Class Object, Class Hashtable

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="13128a371c3f02d9-8966a9f5-42514bee-8a27af25-74491f36e63cf975fcdc903d"><ac:plain-text-body><![CDATA[

[[Bloch 2008

AA. References#Bloch 08]]

Item 75, Consider using a custom serialized form

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6b261865488bec93-a9e4dfa3-4f8d4fe9-8203a155-21e88ceabe4b55b1d7c1706e"><ac:plain-text-body><![CDATA[

[[Greanier 2000

AA. References#Greanier 00]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8377a50fc623ef15-db90cadb-4ad14ef1-80a6ab06-3cf03428df5318114c2e37e9"><ac:plain-text-body><![CDATA[

[[Harold 1999

AA. References#Harold 99]]

Chapter 11, Object Serialization, Validation

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d9b1443741771ae1-5b7764ed-4cfd45e5-86089a1c-086f6a77851179c75e21d213"><ac:plain-text-body><![CDATA[

[[Hawtin 2008

AA. References#Hawtin 08]]

Antipattern 8. Believing deserialisation is unrelated to construction

]]></ac:plain-text-body></ac:structured-macro>

...