SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 32

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

The readObject() method must not call any overridable methods. Invoking overridable methods from the readObject() method can allow provide the overriding method with access to read the object's state of the subclass before it is fully constructed, since the base class is deserialized first, followed by the subclass. Therefore readObject() must not call any overridable methods.Also see the related rule MET07initialized. This premature access is possible because, in deserialization, readObject plays the role of object constructor and therefore object initialization is not complete until readObject exits (see also MET06-J. Do not invoke overridable methods in clone()).

Noncompliant Code Example

This noncompliant code example invokes an overridable method from the readObject() method. :

Code Block
bgColor#FFCCCC

private void readObject(final ObjectInputStream stream) throws 

                        throws IOException, ClassNotFoundException {
  overridableMethod(); 
  stream.defaultReadObject();
}

public void overridableMethod() {
  // ...
}

Compliant Solution

This compliant solution removes the call to the overridable method. When removing such calls is infeasible, ensure that declare the overridable method is declared private or final.

Code Block
bgColor#ccccff

private void readObject(final ObjectInputStream stream) throws 

                        throws IOException, ClassNotFoundException {
  stream.defaultReadObject();
}

Exceptions

unmigratedSER09-wiki-markup*SER11-EX1:* "The {{readObject}} methods will often call {{J-EX0: The readObject() method may invoke the overridable methods defaultReadObject() and readFields() in class java.io.ObjectInputStream.defaultReadObject}}, which is an overridable method" \ [[SCG 2009|AA. Bibliography#SCG 09]\]. Such calls are permitted.

Risk Assessment

Invoking overridable methods from the readObject() method can lead to initialization errors.

Guideline

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER11

SER09-J

low

Low

probable

Probable

medium

Medium

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] 
\[[SCG 2009|AA. Bibliography#SCG 09]\] Guideline 4-4 Prevent constructors from calling methods that can be overridden
\[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 17: "Design and document for inheritance or else prohibit it"

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest

Include Page
Parasoft_V
Parasoft_V

CERT.SER09.VREADOBJDo not invoke overridable methods from the readObject() method

Related Guidelines

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 7-4 / OBJECT-4: Prevent constructors from calling methods that can be overridden

Bibliography

[API 2014]


[Bloch 2008]

Item 17, "Design and Document for Inheritance or Else Prohibit It"

[SCG 2009]


...

Image Added Image Added Image AddedVOID SER10-J. Do not serialize direct handles to system resources      16. Serialization (SER)      SER12-J. Avoid memory and resource leaks during serialization