SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 43

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 44

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
public class Point {
  private double x;
  private double y;

  public Point(double x, double y) {
    this.x = x;
    this.y = y;
  }

  public Point() {
    // No argument constructor
  }
}

public class Coordinates extends Point implements Serializable {
  public static void main(String[] args) {
    try {
      Point p = new Point(5, 2);
      FileOutputStream fout = new FileOutputStream(""point.ser"");
      ObjectOutputStream oout = new ObjectOutputStream(fout);
      oout.writeObject(p);
      oout.close();
  }
  catch (Throwable t) { /* Forward to handler */ }
 }
}

...

Code Block
bgColor#ccccff
public class Point {
 private transient double x;
 private transient double y;

 public Point(double x, double y) {
  this.x = x;
  this.y = y;
 }

 public Point()
 {
  //no argument constructor
 }

}

public class Coordinates extends Point implements Serializable {
  public static void main(String[] args) {
    try {
      Point p = new Point(5,2);
      FileOutputStream fout = new FileOutputStream(""point.ser"");
      ObjectOutputStream oout = new ObjectOutputStream(fout);
      oout.writeObject(p);
      oout.close();
    } catch (Exception e) {
      // Forward to handler
    }
  }
}

...

Code Block
bgColor#FFcccc
public class SensitiveClass extends Exception {
  public static final SensitiveClass INSTANCE = new SensitiveClass();
  private SensitiveClass() {
    // Perform security checks and parameter validation
  }

  protected int printBalance() {
    int balance = 1000;
    return balance;
  }
}

class Malicious {
  public static void main(String[] args) {
    SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE);
    System.out.println(sc == SensitiveClass.INSTANCE);  // Prints false; indicates new instance
    System.out.println(""Balance = "" + sc.printBalance());
  }

  // This method should not be used in production quality code
  static public Object deepCopy(Object obj) {
    try {
      ByteArrayOutputStream bos = new ByteArrayOutputStream();
       new ObjectOutputStream(bos).writeObject(obj);
      ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray());
      return new ObjectInputStream(bin).readObject();
    } catch (Exception e) { 
      throw new IllegalArgumentException(e);
    }
  }
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] [Transient modifier|http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020]
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 5-1 Guard sensitive data during serialization
\[[Sun 06|AA. Java References#Sun 06]\] ""Serialization specification: A.4  Preventing Serialization of Sensitive Data""
\[[Harold 99|AA. Java References#Harold 99]\]
\[[Long 05|AA. Java References#Long 05]\] Section 2.4, Serialization
\[[Greanier 00|AA. Java References#Greanier 00]\] [Discover the secrets of the Java Serialization API|http://java.sun.com/developer/technicalArticles/Programming/serialization/]
\[[Bloch 05|AA. Java References#Bloch 05]\] Puzzle 83: Dyslexic Monotheism
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 1: Enforce the singleton property with a private constructor
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 502|http://cwe.mitre.org/data/definitions/502.html] ""Deserialization of Untrusted Data"", [CWE ID 499|http://cwe.mitre.org/data/definitions/499.html] ""Serializable Class Containing Sensitive Data""

...

SER01-J. Avoid memory and resource leaks during serialization            14. Serialization (SER)            SER31-J. Validate deserialized objects