SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

Wiki Markup"An inner class is a nested class that is not explicitly or implicitly declared {{ static}}." \ [[JLS 05|AA. Java References#JLS 05]\]. Serialization of inner classes (including local and anonymous classes) is error prone. According to the Serialization Specification \[[Sun 06|AA. Java References#Sun 06]\]:

...

JLS 2015]. Serialization of inner classes (including local and anonymous classes) is error prone. According to the Serialization Specification [Sun 2006]:

  • Serializing an inner class declared in a non-static context that contains implicit non-transient references to enclosing class instances

...

  • results in serialization of its associated outer class instance.
  • Synthetic fields generated by

...

  • Java

...

  • compilers

...

  • to implement inner classes are implementation dependent and may vary between compilers; differences in such fields can disrupt compatibility as well as result in conflicting default serialVersionUID values. The names assigned to local and anonymous inner classes are also implementation dependent and may differ between compilers.
  • Because inner classes cannot declare static members other than compile-time constant fields, they cannot use the serialPersistentFields mechanism to designate serializable fields.

...

  • Because inner classes associated with outer instances do not have zero-argument

...

  • constructors

...

  • (constructors

...

  • of

...

  • such

...

  • inner

...

  • classes

...

  • implicitly

...

  • accept

...

  • the

...

  • enclosing

...

  • instance

...

  • as

...

  • a

...

  • prepended

...

  • parameter),

...

  • they

...

  • cannot

...

  • implement

...

  • Externalizable

...

  • .

...

  • The

...

  • Externalizable

...

  • interface

...

  • requires

...

  • the

...

  • implementing

...

  • object

...

  • to

...

  • manually

...

  • save

...

  • and

...

  • restore

...

  • its

...

  • state

...

  • using

...

  • the

...

  • writeExternal()

...

  • and

...

  • readExternal()

...

  • methods.

...

Consequently, programs must not serialize inner classes.

Because none None of these issues , however, apply to static member classes, serialization of static member classes is permitted.

Noncompliant Code Example

In this noncompliant code example, the fields contained within the outer class are also serialized when the inner class is serialized. :

Code Block
bgColor#FFcccc

public class OuterSer implements Serializable {
  private int ssnrank;
  class InnerSer implements Serializable {
    protected String name;
    // ...
  }
}

Compliant Solution

This The InnerSer class of this compliant solution discourages implementing deliberately fails to implement the Serializable interface in the InnerSer class.:

Code Block
bgColor#ccccff

public class OuterSer implements Serializable {
  private int ssnrank;
  class InnerSer {
    protected String name;
    // ...
  }
}

Compliant Solution

It is allowable to declare If an inner and outer class must both be Serializable, the inner class as can be declared static to prevent its serialization. It is also permissible for a static inner class to implement Serializablea serialized inner class from also serializing its outer class.

Code Block
bgColor#ccccff

public class OuterSer implements Serializable {
  private int ssnrank;
  static class InnerSer implements Serializable {
    protected String name;
    // ...
  }
}

Risk Assessment

Attempts to serialize Serialization of inner classes can introduce platform dependencies and can cause serialization of instances of the outer class to be serialized and also introduce platform dependencies.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

SER06

SER05-J

medium

Medium

Likely

likely

Yes

low

No

P18

P12

L1

Automated Detection

Detection

...

of inner classes that implement serialization is straightforward.

ToolVersionCheckerDescription
Klocwork

Include Page
Klocwork_V
Klocwork_V

JAVA.SERIALIZE.INNER
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2066
S2059		"Serializable" inner classes of non-serializable classes should be "static"
"Serializable" inner classes of "Serializable" classes should be static


Related Guidelines

MITRE CWE

CWE-499, Serializable Class Containing Sensitive Data

Bibliography

[API 2014]

Interface Externalizable
Interface Serializable

[Bloch 2008]

Item 74, "Implement Serialization Judiciously"

[JLS 2015]

§8.1.3, "Inner Classes and Enclosing Instances"

[Sun 2006]

Serialization Specification, Section 1.10, "The Serializable Interface"


...

Image Added Image Added Image Added

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] 
\[[JLS 05|AA. Java References#JLS 05]\] [Section 8.1.3, Inner Classes and Enclosing Instances|http://java.sun.com/docs/books/jls/third_edition/html/classes.html]
\[[Sun 06|AA. Java References#Sun 06]\] "Serialization specification:  
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 74: "Implement serialization judiciously"

SER05-J. Do not allow serialization and deserialization to bypass the Security Manager      14. Serialization (SER)      SER07-J. Make defensive copies of private mutable components