Prevent deserialization


ID: java-security/object-deserialization

Language: Java

Severity: Warning

Category: Security


Deserialization of untrusted data can lead to system compromise. Make sure you only deserialize data you trust.

Learn More

Non-Compliant Code Examples

public class SerializationHelper {

  private static final char[] hexArray = "0123456789ABCDEF".toCharArray();

  public static Object fromString(String s) throws IOException, ClassNotFoundException {
    byte[] data = Base64.getDecoder().decode(s);
    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
    Object o = ois.readObject();
    return o;
} jetbrains

Seamless integrations. Try Datadog Code Analysis