Invoking overridable methods from the readObject()
method can cause the overriding method to read the state of the subclass before it is fixed. This is because the base class is deserialized first, followed by the subclass. Also see the related guidelines CON08-J. Do not call overridable methods from synchronized regions and MET07-J. Do not invoke overridable methods on the clone under construction.
Noncompliant Code Example
This noncompliant code example invokes an overridable method from the readObject()
method.
private void readObject(final ObjectInputStream stream) throws IOException, ClassNotFoundException { overridableMethod(); stream.defaultReadObject(); }
Compliant Solution
This compliant solution removes the call to the overridable method.
private void readObject(final ObjectInputStream stream) throws IOException, ClassNotFoundException { stream.defaultReadObject(); }
Risk Assessment
Invoking overridable methods from the readObject()
method can lead to initialization errors.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SER11- J |
low |
probable |
medium |
P4 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]]
[[Bloch 08]] Item 17: "Design and document for inheritance or else prohibit it"
SER10-J. Do not serialize direct handles to system resources 14. Serialization (SER) SER12-J. Avoid memory and resource leaks during serialization