Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Code Correctness: Non-Static Inner Class Implements Serializable
Abstract
Inner classes implementing
java.io.Serializable may cause problems and leak information from the outer class.Explanation
Serialization of inner classes lead to serialization of the outer class, therefore possibly leaking information or leading to a runtime error if the outer class is not serializable. As well as this, serializing inner classes may cause platform dependencies since the Java compiler creates synthetic fields in order to implement inner classes, but these are implementation dependent, and may vary from compiler to compiler.
Example 1: The following code allows serialization of an inner class.
In
Example 1: The following code allows serialization of an inner class.
...
class User implements Serializable {
private int accessLevel;
class Registrator implements Serializable {
...
}
}
In
Example 1, when the inner class Registrator is serialized, it will also serialize the field accessLevel from the outer class User.References
[1] SER05-J. Do not serialize instances of inner classes CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_non_static_inner_class_implements_serializable