mirror of
https://github.com/github/codeql.git
synced 2026-02-23 10:23:41 +01:00
33 lines
1.1 KiB
Plaintext
33 lines
1.1 KiB
Plaintext
/**
|
|
* @name Serialization methods do not match required signature
|
|
* @description A serialized class that implements 'readObject', 'readObjectNoData' or 'writeObject' but
|
|
* does not use the correct signatures causes the default serialization mechanism to be used.
|
|
* @kind problem
|
|
* @problem.severity warning
|
|
* @precision medium
|
|
* @id java/wrong-object-serialization-signature
|
|
* @tags reliability
|
|
* maintainability
|
|
* language-features
|
|
*/
|
|
|
|
import java
|
|
|
|
from Method m, TypeSerializable serializable, string reason
|
|
where
|
|
m.fromSource() and
|
|
m.getDeclaringType().hasSupertype+(serializable) and
|
|
(
|
|
m.hasStringSignature("readObject(ObjectInputStream)") or
|
|
m.hasStringSignature("readObjectNoData()") or
|
|
m.hasStringSignature("writeObject(ObjectOutputStream)")
|
|
) and
|
|
(
|
|
not m.isPrivate() and reason = "Method must be private"
|
|
or
|
|
m.isStatic() and reason = "Method must not be static"
|
|
or
|
|
not m.getReturnType() instanceof VoidType and reason = "Return type must be void"
|
|
)
|
|
select m, "Not recognized by Java serialization framework: " + reason
|