...
This noncompliant code example simply serializes then deserializes the map. Consequently, the map can be serialized and transferred across different business tiers. Unfortunately, the example lacks any safeguards against byte stream manipulation attacks while the binary data is in transit. Likewise, anyone can reverse-engineer the serialized stream data to recover the data in the HashMap. Anyone would also be able to tamper with the map and produce an object that made the deserializer crash or hang.
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args)
throws IOException, ClassNotFoundException {
// Build map
SerializableMap<String, Integer> map = buildMap();
// Serialize map
ObjectOutputStream out =
new ObjectOutputStream(new FileOutputStream("data"));
out.writeObject(map);
out.close();
// Deserialize map
ObjectInputStream in =
new ObjectInputStream(new FileInputStream("data"));
map = (SerializableMap<String, Integer>) in.readObject();
in.close();
// Inspect map
InspectMap(map);
}
|
...
Failure to sign and then seal objects during transit can lead to loss of object integrity or confidentiality.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SER02-J | Medium | Probable | High | P4 | L3 |
Automated Detection
This rule is not amenable to static analysis in the general case.
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.IO.INJ.ANDROID.MESSAGE | Android Message Injection (Java) |
Related Guidelines
Bibliography
[API 2014] |
Section 9.10, "Sealing Objects" | |
Chapter 11, "Object Serialization" | |
Item 64, "Use | |
Chapter 10, "Securing the Business Tier" |
...
...