When objects are being serialized using the writeObject() method, if the same object is encountered more than once, it is written to the output stream only once, and after the first occurrence, only a reference to the first occurrence is written to the stream. Correspondingly, the readObject() method resolves references written by writeObject() to multiple occurrences of the same object.
According to the Java API [API 2006], the writeUnshared() method:
writes an "unshared" object to the ObjectOutputStream. This method is identical to writeObject, except that it always writes the given object as a new, unique object in the stream (as opposed to a back-reference pointing to a previously serialized instance).
Correspondingly, the readUnshared() method:
reads an "unshared" object from the ObjectInputStream. This method is identical to readObject, except that it prevents subsequent calls to readObject and readUnshared from returning additional references to the deserialized instance obtained via this call.
This means that to serialize a network of objects containing circular references and then to successfully deserialize the same network the writeUnshared/readUnshared methods must not be used.
Noncompliant Code Example
This noncompliant code example does something bad using writeUnshared().
// need some code here
Compliant Solution
This compliant solution overcomes the problem of the noncompliant code example.
// need some code here
Risk Assessment
Using the writeUnshared() and readUnshared() methods may produce unexpected results.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC62-JG | medium | low | low | P6 | L2 |
Automated Detection
Automated detection is straightforward.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography