SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Every serializable container class that has private mutable sub-objects must defensively copy these sub-objects in the readObject method. An adversary can append extra references to the sub-objects to generate a new byte stream. When deserialized, this byte stream will allow the creation of a container instance whose internal sub-object references will be attacker controllable. This would in turn allow the instance of the container class to mutate and violate its guarantees.

Noncompliant Code Example

There is no defensive copying of the mutable components or sub-objects (Date object) in this noncompliant code example. An attacker may be able to create an instance of MutableSer with a mutated value of the date sub-object.

class MutableSer implements Serializable {
  private Date date=null; // mutable component
  
  public MutableSer(Date d){
    date = new Date(d.getTime()); // constructor performs defensive copying
  }

  private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    ois.defaultReadObject();
    //perform validation if necessary
  }
}

Compliant Solution

This compliant solution creates a defensive copy of the mutable Date object in the readObject method. 

private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
  ois.defaultReadObject();
  //defensively copy the mutable component
  date = new Date(date.getTime());
  //perform validation if necessary
}

Note that there is no need to copy immutable sub-objects. Also, avoid using the sub-object's clone() method since it can be overridden when the sub-object's class is non-final. The sub-objects (date) themselves must be non-final so that defensive copying can occur. It is also inadvisable to use the writeUnshared and readUnshared methods as an alternative [[Bloch 08]].

Risk Assessment

Failure to defensively copy mutable components during deserialization can violate the immutability contract of an object.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER34-J

low

probable

medium

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]]
[[Sun 06]] "Serialization specification: A.6 Guarding Unshared Deserialized Objects"
[[Bloch 08]] Item 76: "Write readObject methods defensively"

SER33-J. Do not serialize instances of inner classes      11. Serialization (SER)      11. Serialization (SER)

  • No labels