Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Code Correctness: Incorrect serialPersistentFields Modifier

Java/JSP

Abstract

To use serialPersistentFields correctly, it must be declared private, static, and final.

Explanation

The Java Object Serialization Specification enables developers to manually define Serializable fields for a class by specifying them in the serialPersistentFields array. This feature will only work if serialPersistentFields is declared as private, static, and final.

Example 1: The following declaration of serialPersistentFields will not be used to define Serializable fields because it is not private, static, and final.


class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}

References

[1] Sun Microsystems, Inc. Java Sun Tutorial

[2] SERIAL-2: Guard sensitive data during serialization Oracle

[3] Standards Mapping - Common Weakness Enumeration CWE ID 485

desc.structural.java.code_correctness_incorrect_serialpersistentfields_modifier