The readObject()
method must not call any overridable methods. Invoking overridable methods from the readObject()
method can cause provide the overriding method with access to read the object's state of the subclass before it is fixedfully initialized. This premature access is possible because the base class is deserialized first, followed by the subclass. Also see the related guidelines CON04-J. Do not call overridable methods from synchronized regions and MET07, in deserialization, readObject
plays the role of object constructor and therefore object initialization is not complete until readObject
exits (see also MET06-J. Do not invoke overridable methods on the clone under constructionin clone()).
Noncompliant Code Example
This noncompliant code example invokes an overridable method from the readObject()
method. :
Code Block | ||
---|---|---|
| ||
private void readObject(final ObjectInputStream stream) throws throws IOException, ClassNotFoundException { overridableMethod(); stream.defaultReadObject(); } public void overridableMethod() { // ... } |
Compliant Solution
This compliant solution removes the call to the overridable method. When removing such calls is infeasible, declare the method private or final.
Code Block | ||
---|---|---|
| ||
private void readObject(final ObjectInputStream stream) throws throws IOException, ClassNotFoundException { stream.defaultReadObject(); } |
Exceptions
SER09-J-EX0: The readObject()
method may invoke the overridable methods defaultReadObject()
and readFields()
in class java.io.ObjectInputStream
[SCG 2009].
Risk Assessment
Invoking overridable methods from the readObject()
method can lead to initialization errors.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
SER09-J |
Low |
Probable |
Medium | P4 |
L3 |
Automated Detection
...
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[API 06|AA. Java References#API 06]\]
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 17: "Design and document for inheritance or else prohibit it" |
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Parasoft Jtest |
| CERT.SER09.VREADOBJ | Do not invoke overridable methods from the readObject() method |
Related Guidelines
Guideline 7-4 / OBJECT-4: Prevent constructors from calling methods that can be overridden |
Bibliography
...
SER38-J. Do not serialize direct handles to system resources 14. Serialization (SER) 49. Miscellaneous (MSC)