...
| Code Block | ||
|---|---|---|
| ||
public class Point {
private double x;
private double y;
public Point(double x, double y) {
this.x = x;
this.y = y;
}
public Point() {
// no argument constructor
}
}
import java.io.Serializable;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class Coordinates extends Point implements Serializable {
public static void main(String[] args) {
try {
Point p = new Point(5,2);
FileOutputStream fout = new FileOutputStream("point.ser");
ObjectOutputStream oout = new ObjectOutputStream(fout);
oout.writeObject(p);
oout.close();
}
catch (ExceptionThrowable et) {System.err.println(e); /* forward to handler */ }
}
}
|
Compliant
...
Solution
In the absence of sensitive data, a class can be serialized by implementing the java.io.Serializable interface. By doing so, the class indicates that no security issues may result from the object's serialization. Note that any derived sub classes also inherit this interface and are consequently serializable.
...
Other solutions include custom implementation of writeObject, writeReplace and writeExternal methods such that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while deserializing. Yet another remediation remedy is to define the serialPersistentFields array field and ensure that sensitive fields are not added to the array (SER00-J. Maintain serialization compatibility during class evolution). Sometimes it is necessary to prevent a serializable object (whose superclass implements serializable) from getting serialized. This is the focus of the second noncompliant code example.
...
| Wiki Markup |
|---|
Serialization can also be used maliciously to return multiple instances of a singleton-like class. In this noncompliant example, a subclass {{SensitiveClass}} inadvertently becomes Serializable sinceas it extends the {{Exception}} class that implements {{Serializable}}. (Based on \[[Bloch 05|AA. Java References#Bloch 05]\]) |
| Code Block | ||
|---|---|---|
| ||
public class SensitiveClass extends Exception {
public static final SensitiveClass INSTANCE = new SensitiveClass();
private SensitiveClass() {
// Perform security checks and parameter validation
}
protected int printBalance() {
int balance = 1000;
return balance;
}
}
class Malicious {
public static void main(String[] args) {
SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE);
System.out.println(sc == SensitiveClass.INSTANCE); // prints false; indicates new instance
System.out.println("Balance =" + sc.printBalance());
}
// This method should not be used in production quality code
static public Object deepCopy(Object obj) {
try {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
new ObjectOutputStream(bos).writeObject(obj);
ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray());
return new ObjectInputStream(bin).readObject();
} catch (Exception e) { throw new IllegalArgumentException(e); }
}
}
|
Compliant Solution
Undue serialization of the subclass can be prohibited by throwing a NotSerializableException from a custom writeObject() method or the readResolve() method, defined in the subclass SensitiveClass. Ideally, one should avoid extending a class or interface that implements Serializable should be avoided.
| Code Block | ||
|---|---|---|
| ||
private Object readResolve() throws NotSerializableException {
throw new NotSerializableException();
}
|
...