Prevent deserialization

This product is not supported for your selected Datadog site. ().
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Metadata

ID: java-security/object-deserialization

Language: Java

Severity: Warning

Category: Security

CWE: 502

Description

Deserialization of untrusted data can lead to system compromise. Make sure you only deserialize data you trust.

Learn More

Non-Compliant Code Examples

public class SerializationHelper {

  private static final char[] hexArray = "0123456789ABCDEF".toCharArray();

  public static Object fromString(String s) throws IOException, ClassNotFoundException {
    byte[] data = Base64.getDecoder().decode(s);
    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
    Object o = ois.readObject();
    ois.close();
    return o;
  }
}

Compliant Code Examples

public class SafeDataHandler {
    // Safe: using JSON parsing instead of object deserialization
    public static Map<String, Object> fromString(String s) throws IOException {
        ObjectMapper mapper = new ObjectMapper();
        return mapper.readValue(s, Map.class);
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

シームレスな統合。 Datadog Code Security をお試しください

Datadog Code Security