MSC62-J. Do not use the writeUnshared and readUnshared methods

When objects are being serialized using the writeObject() method, if the same object is encountered more than once then it is written to the output stream only once and, after the first occurrence, only a reference to the first occurrence is written to the stream. Correspondlingly, the readObject() method resolves references written by writeObject() to multiple occurrences of the same object.

On the other hand, according to the Java API [[API 2006]], the writeUnshared() method:

Writes an "unshared" object to the ObjectOutputStream. This method is identical to writeObject, except that it always writes the given object as a new, unique object in the stream (as opposed to a back-reference pointing to a previously serialized instance).

Correspondingly, the readUnshared() method:

Reads an "unshared" object from the ObjectInputStream. This method is identical to readObject, except that it prevents subsequent calls to readObject and readUnshared from returning additional references to the deserialized instance obtained via this call.

Noncompliant Code Example

This noncompliant code example does something bad using writeUnshared().

// need some code here

Compliant Solution

This compliant solution overcomes the problem of the NCCE.

// need some code here

Risk Assessment

Using the writeUnshared() and readUnshared() methods may be bad.

Automated Detection

Automated detection is straightforward.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography