Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Code Correctness: readObject() Invokes Overridable Function

Abstract
The readObject() method within the class calls a function that may be overridden.
Explanation
During deserialization, readObject() acts like a constructor, so object initialization is not complete until this function ends. Therefore when a readObject() function of a Serializable class calls an overridable function, this may provide the overriding method access to the object's state prior to it being fully initialized.

Example 1: The following readObject() function calls a method that can be overridden.


  ...
  private void readObject(final ObjectInputStream ois) throws IOException, ClassNotFoundException {
    checkStream(ois);
    ois.defaultReadObject();
  }

  public void checkStream(ObjectInputStream stream){
    ...
  }


Since the function checkStream() and its enclosing class are not final and public, it means that the function can be overridden, which may mean that an attacker may override the checkStream() function in order to get access to the object during deserialization.
References
[1] SER09-J. Do not invoke overridable methods from the readObject() method CERT
[2] EXTEND-5: Limit the extensibility of classes and methods Oracle
[3] SERIAL-3: View deserialization the same as object construction Oracle
desc.structural.java.code_correctness_readobject_invokes_overridable_function