You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »

Invoking overridable methods from the readObject() method can allow the overriding method to read the state of the subclass before it is fully constructed, since the base class is deserialized first, followed by the subclass. Therefore readObject() must not call any overridable methods.

Also see the related rule MET07-J. Do not invoke overridable methods in clone().

Noncompliant Code Example

This noncompliant code example invokes an overridable method from the readObject() method.

private void readObject(final ObjectInputStream stream) throws 
    IOException, ClassNotFoundException {
  overridableMethod(); 
  stream.defaultReadObject();
}

public void overridableMethod() {
  // ...
}

Compliant Solution

This compliant solution removes the call to the overridable method. When removing such calls is infeasible, ensure that the overridable method is declared private or final.

private void readObject(final ObjectInputStream stream) throws 
    IOException, ClassNotFoundException {
  stream.defaultReadObject();
}

Exceptions

SER11-EX1: "The readObject methods will often call java.io.ObjectInputStream.defaultReadObject, which is an overridable method" [[SCG 2009]]. Such calls are permitted.

Risk Assessment

Invoking overridable methods from the readObject() method can lead to initialization errors.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER11-J

low

probable

medium

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5deedd11-df39-4073-8f13-c36ea847b9bf"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="75a5c66b-23a7-4417-9513-638981a1378b"><ac:plain-text-body><![CDATA[

[[SCG 2009

AA. Bibliography#SCG 09]]

Guideline 4-4 Prevent constructors from calling methods that can be overridden

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1dfa9e40-04bc-4982-a6c8-8fe15573eae8"><ac:plain-text-body><![CDATA[

[[Bloch 2008

AA. Bibliography#Bloch 08]]

Item 17: "Design and document for inheritance or else prohibit it"

]]></ac:plain-text-body></ac:structured-macro>


SER09-J. Minimize privileges before deserializing from a privileged context      16. Serialization (SER)      SER12-J. Avoid memory and resource leaks during serialization

  • No labels