...
| Code Block | ||
|---|---|---|
| ||
public class Ser implements Serializable {
private final long serialVersionUID = 123456789;
private Ser() {
// Initialize
}
public static void writeObject(final ObjectOutputStream stream)
throws IOException {
stream.defaultWriteObject();
}
public static void readObject(final ObjectInputStream stream)
throws IOException, ClassNotFoundException {
stream.defaultReadObject();
}
}
|
Similarly, omitting the static keyword is insufficient to make this example secure; Note that there are two things wrong with the signatures of writeObject() and readObject() in this Noncompliant Code Example: (1) the method is declared public instead of private, and (2) the method is declared static instead of non-static. Since the method signatures do not exactly match the required signatures, the JVM will not detect the two methods, resulting in failure to use the custom serialized form.
...
Deviating from the proper signatures of serialization methods can lead to unexpected behavior. Failure to limit the accessibility of the readObject() and writeObject() methods can leave code vulnerable to untrusted invocations. Declaring readResolve() and writeReplace() methods to be static or private can force subclasses to silently ignore them, while declaring them public allows them to be invoked by untrusted code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SER01-J | High | Likely | Low | P27 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.CLASS.SER.ND | Serialization Not Disabled (Java) | ||||||
| Coverity | 7.5 | UNSAFE_DESERIALIZATION | Implemented | ||||||
| Parasoft Jtest |
| CERT.SER01.ROWO | Ensure that the 'readObject()' and 'writeObject()' methods have the correct signature | ||||||
| PVS-Studio |
| V6075 | |||||||
| SonarQube |
| S2061 | Custom serialization method signatures should meet requirements |
Related Guidelines
Bibliography
...
...