ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2441/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

51 lines
1.9 KiB
Plaintext
Raw Blame History

== Why is this an issue?
If you have no intention of writting an ``++HttpSession++`` object to file, then storing non-``++serializable++`` objects in it may not seem like a big deal. But whether or not you explicitly serialize the session, it may be written to disk anyway, as the server manages its memory use in a process called "passivation". Further, some servers automatically write their active sessions out to file at shutdown & deserialize any such sessions at startup.
The point is, that even though ``++HttpSession++`` does not ``++extend Serializable++``, you must nonetheless assume that it will be serialized, and understand that if you've stored non-serializable objects in the session, errors will result.
=== Noncompliant code example
[source,java]
----
public class Address {
//...
}
//...
HttpSession session = request.getSession();
session.setAttribute("address", new Address()); // Noncompliant; Address isn't serializable
----
== Resources
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://cwe.mitre.org/data/definitions/579[MITRE, CWE-579] - J2EE Bad Practices: Non-serializable Object Stored in Session
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make "xxx" serializable or don't store it in the session.
'''
== Comments And Links
(visible only on this page)
=== on 27 Feb 2015, 21:11:59 Freddy Mallet wrote:
@Ann, we can link this rule to http://cwe.mitre.org/data/definitions/579.html[CWE-579]: "J2EE Bad Practices: Non-serializable Object Stored in Session"
=== on 15 Feb 2016, 19:12:14 Ann Campbell wrote:
This maps to https://www.securecoding.cert.org/confluence/x/EYDeBw[CERT MSC08-J.] but I'm not adding a reference field value or a See entry because the CERT version is currently a stub.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink