It is not unusual for Java code to deserialize data that comes from an untrusted source. A serializable class can overload the method readObject()
, which is called when an object of that class is being deserialized. This method (as well as similar methods such as readResolve
and readObjectNoData
) should treat the serialized data as potentially malicious, and it should not perform dangerous operations, nor should it set the stage for such operations to be performed later in the deserialization process. For example, simply deserializing data should never invoke the method Runtime.exec()
.
Non-Compliant Code Example
Compliant Solution
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SER13-J | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Useful for developing exploits that detect violation of this rule |
Related Guidelines
Bibliography
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253