SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 8

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Other ruses include custom implementation of writeObject, writeReplace and writeExternal methods such that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while de-serializing. Yet another remediation is to define the serialPersistentFields array field and ensuring that sensitive fields are not added to the array. Sometimes it is necessary to prevent a serializable object (whose superclass implements serializable) from getting serialized. This can be achieved by throwing a NotSerializableException from the custom writeObject() method.

Risk Assessment

TODOIf sensitive data can be serialized then it may be transmitted over an insecure link, or stored in an insecure medium, and thereby released inappropriately.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO32-J

?? medium ??

likely

?? high

P??

L??

Automated Detection

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
AP
\[[JLS 05|AA. Java References#JLS 05]\] [Transient modifier|
Transient Keyword, 
http://java.sun.com/docs/books/jls/
second
third_edition/html/classes.
doc.html#78119Image Removed
Java I/O, by Elliotte Rusty Harold
Java Secure Coding, http://java.sun.com/security/seccodeguide.htmlImage Removed
html#37020]  
\[[Harold 99|AA. Java References#Harold 99]\]
\[[SCG 07|AA. Java References#SCG 07]\]