You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 30 Next »

Classes that implement the Externalizable interface must provide the readExternal() and writeExternal() methods. These methods are public and can be called by trusted and hostile code alike. Consequently, programs must ensure that these methods execute only when intended, and that they cannot overwrite the internal state of objects at arbitrary points during program execution.

Noncompliant Code Example

This noncompliant code example allows any to reset the value of the object at any time, because the readExternal() method is necessarily declared to be public and lacks protection against hostile callers.

public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {
   // Read instance fields
   this.name = (String)in.readObject();
   this.UID = in.readInt();
   //...
}

Compliant Solution

This compliant solution protects against race-conditions by synchronizing the method. It also protects against multiple initialization through the use of a boolean flag that is set after the instance fields have been populated.

public synchronized void readExternal(ObjectInput in)
 throws IOException, ClassNotFoundException {
  if (!initialized) {
    // Read instance fields
    this.name = (String)in.readObject();
    this.UID = in.readInt();
    //...  
    initialized = true;
  } else {
    throw new IllegalStateException();
  }
}

Note that this compliant solution is insufficient to protect sensitive data.

Risk Assessment

Failure to prevent the overwriting of externalizable objects can corrupt the state of the object.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SER13-J

low

probable

low

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

[[API 2006]]
[[Sun 2006]] "Serialization specification: A.7 Preventing Overwriting of Externalizable Objects"


SER12-J. Avoid memory and resource leaks during serialization      16. Serialization (SER)      49. Miscellaneous (MSC)

  • No labels