Page History

...

Noncompliant Code Example

Wiki MarkupSerialization can be used maliciously, for example, to return multiple instances of a singleton class object. In this noncompliant code example (based on \ [[Bloch 2005|AA. References#Bloch 05]\]), a subclass {{SensitiveClass}} inadvertently becomes serializable because it extends the {{java.lang.Number}} class, which implements {{Serializable}}.

public class SensitiveClass extends Number {
  // ..implement abstract methods, such as Number.doubleValue()…

  private static final SensitiveClass INSTANCE = new SensitiveClass();
  public static SensitiveClass getInstance() {
    return INSTANCE;
  }

  private SensitiveClass() {
    // Perform security checks and parameter validation
  }

  protected int getBalance() {
    int balance = 1000;
    return balance;
  }
}

class Malicious {
  public static void main(String[] args) {
    SensitiveClass sc =
       (SensitiveClass) deepCopy(SensitiveClass.getInstance());
    // Prints false; indicates new instance
    System.out.println(sc == SensitiveClass.getInstance());  
    System.out.println("Balance = " + sc.getBalance());
  }

  // This method should not be used in production code
  static public Object deepCopy(Object obj) {
    try {
      ByteArrayOutputStream bos = new ByteArrayOutputStream();
      new ObjectOutputStream(bos).writeObject(obj);
      ByteArrayInputStream bin =
          new ByteArrayInputStream(bos.toByteArray());
      return new ObjectInputStream(bin).readObject();
    } catch (Exception e) { 
      throw new IllegalArgumentException(e);
    }
  }
}

...

Related Guidelines

Bibliography

...

[[Bloch 2005AA. References#Bloch 05]]	Puzzle 83. Dyslexic monotheism ]]></ac:plain-text-body></ac:structured-macro><ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f2a7cf5e-bf8d-4285-b48e-5336e15c862a"><ac:plain-text-body><!
[CDATA[ [[Bloch 2001AA. References#Bloch 01] ]	Item 1. Enforce the singleton property with a private constructor ]]></ac:plain-text-body></ac:structured-macro><ac:structured-
macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e0e5c07c-5313-4972-98d1-7917ed2acbe4"><ac:plain-text-body><![CDATA [ [[Greanier 2000AA. References#Greanier 00] ]	[Discover the Secrets of the Java Serialization API	http://java.sun.com/developer/technicalArticles/Programming/serialization/]	]]></ac:plain-text-body></ac:structured-macro>	<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="247af91a-db6f-4477-a1a1-3e456db62dc4"><ac:plain-text-body><![CDATA[
[ [Harold 1999AA. References#Harold 99] ]		]]></ac:plain-text-body></ac:structured-macro>	<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="257ede35-7854-4f40-9cbd-4a381f339dc9"><ac:plain-text-body><![CDATA[
[[JLS 2005AA. References#JLS 05] ]	[Transient Modifierhttp://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8362c938-b292-42bd-b715-d8e9114a3c3c"><ac:plain-text-body><![CDATA[	[ [Long 2005AA. References#Long 05] ]	Section 2.4, Serialization	]]></ac:plain-text-body></ac:structured-macro>	<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="64242b0b-60ac-4dd5-88f6-5c066ebbfe1b"><ac:plain-text-body><![CDATA[
[ [Sun 2006AA. References#Sun 06] ]	Serialization Specification, A.4, Preventing Serialization of Sensitive Data ]]></ac:plain-text-body></ac:structured-macro>

...

SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary      13. Serialization (SER)