SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 22

changes.mady.by.user Will Klieber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Compliant example

...

Code Block
bgColor#ccccff
languagejava
import java.io.*;
import java.util.*;

class LookAheadObjectInputStreamWhitelistedObjectInputStream extends ObjectInputStream {
  public LookAheadObjectInputStream Set whitelist;

  public WhitelistedObjectInputStream(InputStream inputStream, Set wl) throws IOException {
    super(inputStream);
    whitelist = wl;
  }
 
  @Override
  protected Class<?> resolveClass(ObjectStreamClass desccls) throws IOException, ClassNotFoundException {
    switchif (!whitelist.contains(desccls.getName())) {
      case "GoodClass1": break;
      case "GoodClass2": break;
      default:	
        throw new InvalidClassException("Unexpected serialized class", desccls.getName());
    }
    return super.resolveClass(desccls);
  }
}
 
class DeserializeExample {
  private static Object deserialize(byte[] buffer) throws IOException, ClassNotFoundException {
    Object ret = null;
    Set whitelist = new HashSet<String>(Arrays.asList(new String[]{"GoodClass1"}));
    try (ByteArrayInputStream bais = new ByteArrayInputStream(buffer)) {
      try (LookAheadObjectInputStreamWhitelistedObjectInputStream ois = new LookAheadObjectInputStreamWhitelistedObjectInputStream(bais, whitelist)) {
        ret = ois.readObject();
      }
    }
    return ret;
  } 
}

Exceptions

SER12-EX0: Serialized data from a trusted input source does not require validation, provided that the code clearly documents that it relies on the input source being trustworthy.  For example, if a library is being audited, a routine of that library may have a documented precondition that its callers pre-validate any passed-in serialized data or confirm the input source as trustworthy.

...