Java: Enhance IncorrectSerializableMethods.ql

java/ql/src/Likely Bugs/Serialization/IncorrectSerializableMethods.java

@@ -5,6 +5,12 @@ class WrongNetRequest implements Serializable {
 		//...
 	}
 	
+	// BAD: Does not match the exact signature required for a custom 
+	// deserialization protocol. Will not be called during deserialization.
+	void readObjectNoData() {
+		//...
+	}
+	
 	// BAD: Does not match the exact signature required for a custom 
 	// serialization protocol. Will not be called during serialization.
 	protected void writeObject(ObjectOutputStream out) {
@@ -18,6 +24,11 @@ class NetRequest implements Serializable {
 		//...
 	}
 	
+	// GOOD: Signature for a custom deserialization implementation.
+	private void readObjectNoData() {
+		//...
+	}
+	
 	// GOOD: Signature for a custom serialization implementation.
 	private void writeObject(ObjectOutputStream out) {
 		//...

java/ql/src/Likely Bugs/Serialization/IncorrectSerializableMethods.qhelp

@@ -7,15 +7,16 @@
 <overview>
 <p>
 A serializable object that defines its own serialization protocol using the methods
-<code>readObject</code> and <code>writeObject</code> must use the signature that is expected by the 
-Java serialization framework. Otherwise, the default serialization mechanism is used.
+<code>readObject</code>, <code>readObjectNoData</code> or <code>writeObject</code> must use
+the signature that is expected by the Java serialization framework. Otherwise, the default
+serialization mechanism is used.
 </p>
 
 </overview>
 <recommendation>
 <p>
-Make sure that the signatures of <code>readObject</code> and <code>writeObject</code> on 
-serializable classes use these exact signatures:
+Make sure that the signatures of <code>readObject</code>, <code>readObjectNoData</code> and
+<code>writeObject</code> on serializable classes match these expected signatures:
 </p>
 
 <sample src="IncorrectSerializableMethodsSig.java" />
@@ -23,9 +24,9 @@ serializable classes use these exact signatures:
 </recommendation>
 <example>
 
-<p>In the following example, <code>WrongNetRequest</code> defines <code>readObject</code> and 
-<code>writeObject</code> using the wrong signatures. However, <code>NetRequest</code> defines them
-correctly.</p>
+<p>In the following example, <code>WrongNetRequest</code> defines <code>readObject</code>,
+<code>readObjectNoData</code> and <code>writeObject</code> using the wrong signatures. However,
+<code>NetRequest</code> defines them correctly.</p>
 
 <sample src="IncorrectSerializableMethods.java" />
 

java/ql/src/Likely Bugs/Serialization/IncorrectSerializableMethods.ql

@@ -1,7 +1,7 @@
 /**
  * @name Serialization methods do not match required signature
- * @description A serialized class that implements 'readObject' or 'writeObject' but does not use
- *              the correct signatures causes the default serialization mechanism to be used.
+ * @description A serialized class that implements 'readObject', 'readObjectNoData' or 'writeObject' but
+ *              does not use the correct signatures causes the default serialization mechanism to be used.
  * @kind problem
  * @problem.severity warning
  * @precision medium
@@ -13,12 +13,17 @@
 
 import java
 
-from Method m, TypeSerializable serializable
+from Method m, TypeSerializable serializable, string reason
 where
   m.getDeclaringType().hasSupertype+(serializable) and
   (
     m.hasStringSignature("readObject(ObjectInputStream)") or
+    m.hasStringSignature("readObjectNoData()") or
     m.hasName("writeObject(ObjectOutputStream)")
   ) and
-  not m.isPrivate()
-select m, "readObject and writeObject should be private methods."
+  (
+    not m.isPrivate() and reason = "Method must be private"
+    or m.isStatic() and reason = "Method must not be static"
+    or not m.getReturnType() instanceof VoidType and reason = "Return type must be void"
+  )
+select m, reason

java/ql/src/Likely Bugs/Serialization/IncorrectSerializableMethodsSig.java

@@ -1,4 +1,6 @@
 private void readObject(java.io.ObjectInputStream in)
      throws IOException, ClassNotFoundException;
+private void readObjectNoData()
+     throws ObjectStreamException;
 private void writeObject(java.io.ObjectOutputStream out)
      throws IOException;