Java Reference
In-Depth Information
The serialized form of the object exposes the file path, which can be altered. When
the object is deserialized, the operations are performed using the altered path, which can
cause the wrong file to be read or modified.
Compliant Solution (Not Implementing Serializable)
This compliant solution shows a
final
class
Ser
that does not implement
java.io.Serializable
. Consequently, the
File
object cannot be serialized.
final class Ser {
File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
Compliant Solution (Object Marked Transient)
Thiscompliantsolutiondeclaresthe
File
object
transient
.Thefilepathisnotserialized
with the rest of the class, and is consequently not exposed to attackers.
final class Ser implements Serializable {
transient File f;
public Ser() throws FileNotFoundException {
f = new File("c:\\filepath\\filename");
}
}
Applicability
Deserializing direct handles to system resources can allow the modification of the re-
sources being referred to.
Bibliography
[Long 2012]
ENV01-J. Place all security-sensitive code in a single JAR and sign and seal
it