Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove or document security of serialization #44

Open
greggles opened this issue Mar 27, 2020 · 1 comment
Open

Remove or document security of serialization #44

greggles opened this issue Mar 27, 2020 · 1 comment

Comments

@greggles
Copy link

In this issue there is a security report that states

OBJECT DESERIALIZATION FOUND [M7] [CWE-502] [SAST]
Description:
WARNING
Object deserialization performed on an untrusted resource (e.g. user-supplied input or external storage), can be dangerous if the data for deserialization is tampered by an attacker.

There is 'implements Serializable' found in file com/marianhello/bgloc/data/ArrayListLocationTemplate.java:

line 9:
line 10: public class ArrayListLocationTemplate extends AbstractLocationTemplate implements Serializable {
line 11: private static final long serialVersionUID = 1234;

The line is line 15

I wonder if the serialization is required here? If not perhaps it could be removed.

If it is required, perhaps you could add a comment explaining why this is necessary and any safeguards that are in place to ensure it is secure, or any pitfalls developers need to know about to be safe?
@greggles
Copy link
Author

I realize now there are 2 other instances of implements Serializable in the codebase, so this applies to those 3 places.

@greggles greggles mentioned this issue Mar 27, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@greggles