Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Code Correctness: Incorrect serialPersistentFields Modifier
Abstract
To use
serialPersistentFields correctly, it must be declared private, static, and final.Explanation
The Java Object Serialization Specification enables developers to manually define Serializable fields for a class by specifying them in the
Example 1: The following declaration of
serialPersistentFields array. This feature will only work if serialPersistentFields is declared as private, static, and final.Example 1: The following declaration of
serialPersistentFields will not be used to define Serializable fields because it is not private, static, and final.
class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}
References
[1] Sun Microsystems, Inc. Java Sun Tutorial
[2] SERIAL-2: Guard sensitive data during serialization Oracle
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 485
desc.structural.java.code_correctness_incorrect_serialpersistentfields_modifier