Skip to end of metadata
Go to start of metadata

Classes that implement the Externalizable interface must provide the readExternal() and writeExternal() methods. These methods have package-private or public access, and so they can be called by trusted and untrusted code alike. Consequently, programs must ensure that these methods execute only when intended and that they cannot overwrite the internal state of objects at arbitrary points during program execution.

Noncompliant Code Example

This noncompliant code example allows any caller to reset the value of the object at any time because the readExternal() method is necessarily declared to be public and lacks protection against hostile callers:

public void readExternal(ObjectInput in) 
                         throws IOException, ClassNotFoundException {
   // Read instance fields
   this.name = (String) in.readObject();
   this.UID = in.readInt();
   // ...
}

Compliant Solution

This compliant solution protects against multiple initialization through the use of a Boolean flag that is set after the instance fields have been populated. It also protects against race conditions by synchronizing on a private lock object (see LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code).

private final Object lock = new Object();
private boolean initialized = false;

public void readExternal(ObjectInput in)
                         throws IOException, ClassNotFoundException {
  synchronized (lock) {
    if (!initialized) {
      // Read instance fields
      this.name = (String) in.readObject();
      this.UID = in.readInt();
      // ...  
      initialized = true;
    } else {
      throw new IllegalStateException();
    }
  }
}

Note that this compliant solution is inadequate to protect sensitive data.

Risk Assessment

Failure to prevent the overwriting of an externalizable object can corrupt the state of the object.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER11-J

Low

Probable

Low

P6

L2

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest 10.3 SERIAL.IRXImplemented

Bibliography

[API 2014]

 

[Sun 2006]

Serialization Specification, A.7, Preventing Overwriting of Externalizable Objects

 


1 Comment

  1. sort of a nit, but it is not apparent that "overwriting of Externalizable Objects" might occur as the result of invoking the writeExternal() method which is also the subject of this rule.