Every serializable container class that has private mutable instance variables must defensively copy them in the readObject()
method. An adversary can append attacker can tamper with the serialized form of such a class, appending extra references to the variables to generate a new byte stream. When deserialized, this byte stream allows could allow the creation of a container class instance whose internal variable references are controlled by the attacker controllable. Consequently, this allows the class instance of the container class to can mutate and violate its guaranteesclass invariants.
This rule is an instance of OBJ06-J. Defensively copy mutable inputs and mutable internal components, which applies to constructors and to other methods that accept untrusted mutable arguments. This rule applies the same principle to deserialized mutable fields.
Noncompliant Code Example
There is no defensive copying of the mutable components or sub-objects (Date
object) in this noncompliant code example. An attacker may This noncompliant code example fails to defensively copy the mutable Date
object date
. An attacker might be able to create an instance of MutableSer
so that all invariants hold when validation is carried out and later, mutate the value of the date
sub-object to violate the class's contract whose date
object contains a nefarious subclass of Date
and whose methods can perform actions specified by an attacker. Any code that depends on the immutability of the sub-object subobject is vulnerable.
Code Block | ||
---|---|---|
| ||
class MutableSer implements Serializable { private static final Date epoch = new Date(0); private Date date = null; // Mutable component public MutableSer(Date d){ date = new Date(d.getTime()); // Constructor performs defensive copying } private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { ois.defaultReadObject(); // Perform validation if necessary } } |
Compliant Solution
This compliant solution creates a defensive copy of the mutable Date
object date
in the readObject()
method. Note the use of field-by-field input and validation of incoming fields. Additionally, note that this compliant solution is insufficient to protect sensitive data (see SER03-J. Do not serialize unencrypted sensitive data for additional information).
Code Block | ||
---|---|---|
| ||
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { ObjectInputStream.GetField fields = ois.defaultReadObject()readFields(); Date inDate = (Date) fields.get("date", epoch); // Defensively copy the mutable component date = new Date(dateinDate.getTime()); // Perform validation if necessary } |
...
There is no need to copy immutable sub-objects subobjects. Also, avoid using the sub-objectsubobject's {{clone()
}} method because it can be overridden when the sub-objectsubobject's class is non-final. Moreover, it produces only a shallow copy. The sub-objects ({{date}}) themselves must be non-final so that defensive copying can occur. It is also inadvisable to use the {{writeUnshared()}} and {{readUnshared()}} methods as an alternative \[[Bloch 08|AA. Java References#Bloch 08]\]not final and produces only a shallow copy. The references to the subobjects themselves must be nonfinal so that defensive copying can occur. It is also inadvisable to use the writeUnshared()
and readUnshared()
methods as an alternative [Bloch 2008].
Risk Assessment
Failure to defensively copy mutable components during deserialization can violate the immutability contract of an object.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
SER06-J |
Low |
Probable |
Medium | P4 | L3 |
Automated Detection
...
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[API 06|AA. Java References#API 06]\]
\[[Sun 06|AA. Java References#Sun 06]\] "Serialization specification: A.6 Guarding Unshared Deserialized Objects"
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 76: "Write readObject methods defensively" |
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.CLASS.SER.ND | Serialization Not Disabled (Java) | ||||||
Coverity | 7.5 | UNSAFE_DESERIALIZATION | Implemented |
Related Guidelines
Bibliography
[API 2014] | |
Item 76, "Write | |
[Sun 2006] | Serialization Specification, A.6, Guarding Unshared Deserialized Objects |
...
SER06-J. Do not serialize instances of inner classes 18. Serialization (SER) SER08-J. Do not use the default serialized form for implementation defined invariants