It is not unusual often possible for Java code to deserialize data that comes from an untrusted source. A serializable class can overload the method ; however this is forbidden by rule SER12-J. Prevent deserialization of untrusted classes. A Serializable class can overload the readObject() method, which is called when an object of that class is being deserialized. This method (as well as similar methods such as readResolve and () and readObjectNoData()) should treat the serialized data as potentially malicious. These methods should not perform dangerous operations, nor should they set the stage for such operations to be performed later in the deserialization process. For example, simply deserializing data should not invoke Runtime.exec().
If it is convenient for a serializable class to perform operations with potentially dangerous side effects during deserialization, it should require that the programmer expressly whitelist
...