SV.SERIAL.NOREAD

SV.SERIAL.NOREAD is reported for a class when this class directly or indirectly implements 'java.io.Serializable' interface but does not define method 'private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException'.

Vulnerability and risk

If a class does not implement a 'readObject' method with the correct signature, the default serialization provided by 'defaultReadObject' will be used. Thus this class is not protected from deserialization, and an attacker can create a sequence of bytes that deserializes to an instance of your class.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Implement method 'private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException'.

Example 1

5
6
7
8
9
10
11
  public class SV_SERIAL_Sample_1 implements Serializable {
  
       public static void main(String[] args)
       {
               System.out.println("Hello World!");
      }
 }

SV.SERIAL.NOREAD is reported for class 'SV_SERIAL_Sample_1' declaration on line 5.

Related checkers

• SV.SERIAL.NOWRITE
• SV.SERIAL.SIG
• SV.SERIAL.NON
• SV.SERIAL.INON

External guidance

• CERT SER06-J: Make defensive copies of private mutable components during deserialization
• CERT SER12-J: Prevent deserialization of untrusted data
• CWE-502: Deserialization of Untrusted Data
• OWASP A8:2017 Insecure Deserialization
• OWASP A8:2021 Software and Data Integrity Failures

Security training

Application security training materials provided by Secure Code Warrior.

• Insecure Deserialization Training Video - Test your skills with a training example