SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 27

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 28

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Noncompliant Code Example

There is no This noncompliant code example lacks defensive copying of the mutable components or sub-objects (the Date object ) in this noncompliant code examplecase). An attacker may be able to create an instance of MutableSer so that for which all invariants hold when validation is carried out and that later , mutate mutates the value of the date sub-object to violate the class's contract. Any code that depends on the immutability of the sub-object is vulnerable.

Code Block
bgColor#FFcccc
class MutableSer implements Serializable {
  private static final Date epoch = new Date(0);
  private Date date = null; // Mutable component
  
  public MutableSer(Date d){
    date = new Date(d.getTime()); // Constructor performs defensive copying
  }

  private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    ois.defaultReadObject();
    // Perform validation if necessary
  }
}

...

This compliant solution creates a defensive copy of the mutable Date object in the readObject() method. Note the use of field-by-field input and validation of incoming fields (see guideline SER04-J. Validate deserialized objects for additional information). Additionally, note that this compliant solution is insufficient to protect sensitive data (see guideline SER03-J. Do not serialize sensitive data for additional information).

Code Block
bgColor#ccccff
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
  ObjectInputStream.GetField fields = ois.defaultReadObject()readFields();
  Date inDate = (Date) fields.getField("date", epoch);
  // Defensively copy the mutable component
  date = new Date(dateinDate.getTime());
  // Perform validation if necessary
}

...

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SER07-J

low

probable

medium

P4

L3

Automated Detection

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\]
\[[SunBloch 20062008|AA. Bibliography#SunBibliography#Bloch 0608]\] "SerializationItem specification76: A.6"Write readObject Guarding Unshared Deserialized Objectsmethods defensively"
\[[BlochSun 20082006|AA. Bibliography#BlochBibliography#Sun 0806]\] Item"Serialization 76specification: "Write readObject methods defensivelyA.6  Guarding Unshared Deserialized Objects"

...

SER06-J. Do not serialize instances of inner classes      16. Serialization (SER)      SER08-J. Do not use the default serialized form for implementation defined invariants