Reino: Security Features

La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.

Missing SecurityManager Check: Serializable

Java/JSP

Abstract

Una clase serializable que realiza una comprobación SecurityManager en su constructor tiene que realizar la misma comprobación en sus métodos readObject() y readObjectNoData.

Explanation

Cuando se invoca el método readObject() de una clase serializable, no se invoca el constructor para la clase que se está deserializando. Así pues, si hay una comprobación SecurityManager en el constructor de una clase serializable, también debe estar presente la misma comprobación SecurityManager en los métodos readObject() y readObjectNoData(). De no ser así, la comprobación de seguridad se derivará cuando la clase se deserialice.

Ejemplo 1: el código siguiente contiene una comprobación SecurityManager en el constructor, pero no en los métodos readObject() y readObjectNoData().


public class BadSecurityCheck implements Serializable {

private int id;

public BadSecurityCheck() {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new BadPermission("BadSecurityCheck"));
    }
    id = 1;
}

public void readObject(ObjectInputStream in) throws ClassNotFoundException, IOException {
    in.defaultReadObject();
}

public void readObjectNoData(ObjectInputStream in) throws ClassNotFoundException, IOException {
    in.defaultReadObject();
}
}

References

[1] "Secure Coding Guidelines for the Java Programming Language, version 2.0" Sun Microsystems, Inc. [Online]. [Accessed: Aug. 30, 2007]. Sun Microsystems, Inc.

[2] C. Lai Java Insecurity: Accounting for Subtleties That Can Compromise Code

[3] SERIAL-4: Duplicate the SecurityManager checks enforced in a class during serialization and deserialization Oracle

[4] Standards Mapping - Common Weakness Enumeration CWE ID 358

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-7 Least Functionality (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-7 Least Functionality

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1

[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[27] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

desc.structural.java.missing_securitymanager_check_serializable