Details
-
Type:
Bug Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Make "xxx" serializable or don't store it in the session.
-
Default Severity:Major
-
Impact:Low
-
Likelihood:High
-
Default Quality Profiles:Sonar way
-
Covered Languages:Java
-
Irrelevant for Languages:ABAP, C#, C, C++, Cobol, Flex, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6, XML
-
Remediation Function:Constant/Issue
-
Constant Cost:20min
-
Analysis Scope:Main Sources
-
CWE:CWE-579
-
FindBugs:J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION
Description
If you have no intention of writting an HttpSession object to file, then storing non-serializable objects in it may not seem like a big deal. But whether or not you explicitly serialize the session, it may be written to disk anyway, as the server manages its memory use in a process called "passivation". Further, some servers automatically write their active sessions out to file at shutdown & deserialize any such sessions at startup.
The point is, that even though HttpSession does not extend Serializable, you must nonetheless assume that it will be serialized, and understand that if you've stored non-serializable objects in the session, errors will result.
Noncompliant Code Example
public class Address { //... } //... HttpSession session = request.getSession(); session.setAttribute("address", new Address()); // Noncompliant; Address isn't serializable
See
- MITRE, CWE-579 - J2EE Bad Practices: Non-serializable Object Stored in Session
Attachments
Issue Links
- is related to
-
SONARJAVA-1238 FP on S2441: Rule should take into account autoboxing of primitive types
-
- Closed
-
-
-
- Closed
-
-
SONARJAVA-1810 FP on S2441: Array or Collection of Serializable objects are Serializable
-
- Closed
-
-
-
- Closed
-
