Java Reference
In-Depth Information
Bibliography
[Bloch 2005]
Puzzle 8, “Dos Equis”
[Findbugs 2008]
“Bx: Primitive Value Is Unboxed and Coerced for Ternary Operator”
[JLS 2013]
§15.25, “Conditional Operator
? :
”
[Long 2012]
NUM12-J.Ensureconversionsofnumerictypestonarrowertypesdonotres-
ult in lost or misinterpreted data
46. Do not serialize direct handles to system resources
Serialized objects can be altered outside of any Java program unless they are protected
using mechanisms such as sealing and signing. (See
The CERT
®
Oracle
®
Secure Coding
Standard for Java
™
[Long 2012], “ENV01-J. Place all security-sensitive code in a single
JAR and sign and seal it.”) If an object referring to a system resource becomes serialized,
and an attacker can alter the serialized form of the object, it becomes possible to modify
the system resource that the serialized handle refers to. For example, an attacker may
modify a serialized file handle to refer to an arbitrary file on the system. In the absence
of a security manager, any operations that use the file handle will be carried out using the
attacker-supplied file path and file name.
Noncompliant Code Example
This noncompliant code example declares a serializable
File
object in the class
Ser
:
final class Ser implements Serializable {
File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
