Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


This noncompliant code example simply serializes then deserializes the map. Consequently, the map can be serialized and transferred across different business tiers. Unfortunately, the example lacks any safeguards against byte stream manipulation attacks while the binary data is in transit. Likewise, anyone can reverse-engineer the serialized stream data to recover the data in the HashMap. Anyone would also be able to tamper with the map and produce an object that made the deserializer crash or hang.

Code Block
public static void main(String[] args)
                        throws IOException, ClassNotFoundException {
  // Build map
  SerializableMap<String, Integer> map = buildMap();

  // Serialize map
  ObjectOutputStream out =
      new ObjectOutputStream(new FileOutputStream("data"));

  // Deserialize map
  ObjectInputStream in =
      new ObjectInputStream(new FileInputStream("data"));
  map = (SerializableMap<String, Integer>) in.readObject();

  // Inspect map