このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: java-security/object-deserialization
Language: Java
Severity: Warning
Category: Security
CWE: 502
Description
Deserialization of untrusted data can lead to system compromise. Make sure you only deserialize data you trust.
Learn More
Non-Compliant Code Examples
public class SerializationHelper {
private static final char[] hexArray = "0123456789ABCDEF".toCharArray();
public static Object fromString(String s) throws IOException, ClassNotFoundException {
byte[] data = Base64.getDecoder().decode(s);
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
Object o = ois.readObject();
ois.close();
return o;
}
}
Seamless integrations. Try Datadog Code Analysis