SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 54

changes.mady.by.user Brendan Saulsbury

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER07-J

medium

probable

high

P4

L3

Related Guidelines

MITRE CWE

CWE ID 502, "Deserialization of Untrusted Data"

[Secure Coding Guidelines for the Java Programming Language, Version
3.0

http://www.oracle.com/technetwork/java/seccodeguide-139067.html

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="76a617d8-e901-4a33-ba75-848a86ba1e69"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 502

http://cwe.mitre.org/data/definitions/502.html], "Deserialization of Untrusted Data"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="abb48539-8ee7-40b5-826b-9589733a83e8"><ac:plain-text-body><![CDATA[

[[SCG 2009

AA. Bibliography#SCG 09]]

Guideline 5-3 View deserialization the same as object construction ]]></ac:plain-text-body></ac:structured-macro>

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="25c74ec26493f30a-0e6b94eb-4b804a00-825b875e-8e41df992f472732cc81b20e"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class Object, Class Hashtable

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9a2629210b8ed6a4-7e15b1ea-431947cc-b27f9d08-db91525ce96941acc290f71c"><ac:plain-text-body><![CDATA[

[[Bloch 2008

AA. Bibliography#Bloch 08]]

Item 75: "Consider using a custom serialized form"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d02f3093990e8a8f-4214a952-4cf144c8-974a924c-1e1601a44c133caffbcb647a"><ac:plain-text-body><![CDATA[

[[Greanier 2000

AA. Bibliography#Greanier 00]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f436146b3af2b484-a1af3acb-4c6641cd-8636a1c3-0f098f746447ed2d4da2dfd9"><ac:plain-text-body><![CDATA[

[[Harold 1999

AA. Bibliography#Harold 99]]

Chapter 11: Object Serialization, Validation

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9df15766fedd3f8a-aa6675bf-476e4e06-a83499fe-6b49715242ef65adaa505a36"><ac:plain-text-body><![CDATA[

[[Hawtin 2008

AA. Bibliography#Hawtin 08]]

Antipattern 8: Believing deserialisation is unrelated to construction

]]></ac:plain-text-body></ac:structured-macro>

...