/* * Copyright (c) 2017 - present Facebook, Inc. * All rights reserved. * * This source code is licensed under the BSD style license found in the * LICENSE file in the root directory of this source tree. An additional grant * of patent rights can be found in the PATENTS file in the same directory. */ package codetoanalyze.java.quandary; import java.io.IOException; import java.io.InputStream; import java.io.ObjectInputStream; import com.facebook.infer.builtins.InferTaint; public class Serialization { // we could warn on only particular calls to the tainted ObjectInputStream (e.g., readObject, // readUnshared, but nothing good can come from creating a tainted ObjectInputStream Object taintedObjectInputStreamBad() throws IOException, ClassNotFoundException { Object source = InferTaint.inferSecretSource(); ObjectInputStream stream = new ObjectInputStream((InputStream) source); // report here return stream.readObject(); } }