Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule is meant to prevent the unintentional serialization of sensitive information. SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary applies to the intentional serialization of sensitive information.

...

Code Block
bgColor#FFcccc
public class Point implements Serializable {
  private double x;
  private double y;

  public Point(double x, double y) {
    this.x = x;
    this.y = y;
  }

  public Point() {
    // No-argument constructor
  }
}

public class Coordinates extends Point implements Serializable {
  public static void main(String[] args) {
    FileOutputStream fout = null;
    try {
      Point p = new Point(5, 2);
      fout = new FileOutputStream("point.ser");
      ObjectOutputStream oout = new ObjectOutputStream(fout);
      oout.writeObject(p);
    } catch (Throwable t) { 
      // Forward to handler 
    } finally {
      if (fout != null) {
        try {
          fout.close();
        } catch (IOException x) {
          // Handle error
        }
      }
    }
  }
}

...

Code Block
bgColor#ccccff
public class Point implements Serializable {
 private transient double x; // Declared transient
 private transient double y; // Declared transient

 public Point(double x, double y) {
  this.x = x;
  this.y = y;
 }

 public Point() {
   // No-argument constructor
 }
}

public class Coordinates extends Point implements Serializable {
  public static void main(String[] args) {
    FileOutputStream fout = null;
    try {
      Point p = new Point(5,2);
      fout = new FileOutputStream("point.ser");
      ObjectOutputStream oout = new ObjectOutputStream(fout);
      oout.writeObject(p);
      oout.close();
    } catch (Exception e) {
      // Forward to handler
    } finally {
      if (fout != null) {
        try {
          fout.close();
        } catch (IOException x) {
          // Handle error
        }
      }
    }
  }
}

...

It is still possible for an attacker to obtain uninitialized instances of SensitiveClass by catching NotSerializableException or by using a finalizer attack (see OBJ11-J. Be wary of letting constructors throw exceptions for more information). Consequently, an unserializable class that extends a serializable class must always validate its invariants before executing any methods. That is, any object of such a class must inspect its fields, its actual type (to prevent it being a malicious subclass), and any invariants it possesses (such as being a malicious second object of a singleton class).

Exceptions

SER03-J-EX0: Sensitive data that has been properly encrypted may be serialized.

...

If sensitive data can be serialized, it may be transmitted over an insecure connection, stored in an insecure location, or disclosed inappropriately.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER03-J

Medium

Likely

High

P6

L2

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CLASS.SER.ND

Serialization Not Disabled (Java)

Coverity7.5UNSAFE_DESERIALIZATIONImplemented
Parasoft Jtest
9.5SECURITY.ESD.SIF
Include Page
Parasoft_V
Parasoft_V
CERT.SER03.SIFInspect instance fields of serializable objects to make sure they will not expose sensitive information
Implemented

Related Guidelines

MITRE CWE

CWE-499, Serializable Class Containing Sensitive Data
CWE-502, Deserialization of Untrusted Data

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 8-2 / SERIAL-2: Guard sensitive data during serialization

Bibliography

[Bloch 2005]

Puzzle 83, "Dyslexic monotheism"

[Bloch 2001]

Item 1, "Enforce the Singleton Property with a Private Constructor"

[Greanier 2000]

Discover the Secrets of the Java Serialization API

[Harold 1999]

 


[Long 2005]

Section 2.4, "Serialization"

[Sun 2006]

Serialization Specification, A.4, Preventing Serialization of Sensitive Data

 


...

SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary Image Added