SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Serialized objects can be altered outside of any Java program unless they are protected using mechanisms such as sealing and signing. (SEC16See ENV01-J. Sign and seal sensitive objects before transit). If Place all security-sensitive code in a single JAR and sign and seal it.) If an object referring to a system resource becomes serialized, and an attacker can alter the serialized form of the object, it becomes possible to modify the system resource that the serialized handle refers to. For example, an attacker may modify a serialized file handle to refer to an arbitrary file on the system. In the absence of a security manager, any operations that use the file handle , will be carried out using the attacker-supplied file path and file name.

Noncompliant Code Example

This noncompliant code example declares a serializable File object in the class BadSer. The serialized form of the object exposes the file path, which can be altered. When the object is deserialized, the operations will be performed using the altered path. Ser:

Code Block
bgColor#FFcccc

final class BadSerSer implements Serializable { 	
  File f;
  public BadSerSer() throws FileNotFoundException {
    f  = new File("c:\\filepath\\filename");
  }	 
}

...

The serialized form of the object exposes the file path, which can be altered. When the object is deserialized, the operations are performed using the altered path, which can cause the wrong file to be read or modified.
Compliant Solution (Not Implementing Serializable)
This compliant solution shows a final class Ser that does not implement java.io.Serializable. Consequently, the File object cannot be serialized.
 Code Block
bgColor#ccccff

final class Ser { 	
  File f;
  public BadSerSer() throws FileNotFoundException {
    f  = new File("c:\\filepath\\filename");
  }	 
}

Compliant Solution (Object Marked Transient)
This compliant solution declares the File object transient. Consequently, the The file path is not serialized with the rest of the class and consequently is not exposed to attackers.
 Code Block
bgColor#ccccff

final class Ser implements Serializable { 	
  transient File f;
  public BadSerSer() throws FileNotFoundException {
    f  = new File("c:\\filepath\\filename");
  }	 
}

...
Applicability
Deserializing direct handles to system resources can allow the modification of the resources being referred to.
 Rule 
 Severity 
 Likelihood 
 Remediation Cost 
 Priority 
 Level 
 SER10- J 
 high 
 probable 
 low 
 P18 
 L1 
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
 Wiki Markup
\[[Sun 06|AA. Java References#Sun 06]\] "Serialization specification"
Bibliography
[Oracle 2013c]Java Object Serialization
 
...
Image Added Image Added Image AddedSER09-J. Do not deserialize from a privileged context      18. Serialization (SER)      SER11-J. Do not invoke overridable methods from the readObject method