You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
966 B
29 lines
966 B
/*
|
|
* Copyright (c) 2017 - present Facebook, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* This source code is licensed under the BSD style license found in the
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
*/
|
|
|
|
package codetoanalyze.java.quandary;
|
|
|
|
import java.io.IOException;
|
|
import java.io.InputStream;
|
|
import java.io.ObjectInputStream;
|
|
|
|
import com.facebook.infer.builtins.InferTaint;
|
|
|
|
public class Serialization {
|
|
|
|
|
|
// we could warn on only particular calls to the tainted ObjectInputStream (e.g., readObject,
|
|
// readUnshared, but nothing good can come from creating a tainted ObjectInputStream
|
|
Object taintedObjectInputStreamBad() throws IOException, ClassNotFoundException {
|
|
Object source = InferTaint.inferSecretSource();
|
|
ObjectInputStream stream = new ObjectInputStream((InputStream) source); // report here
|
|
return stream.readObject();
|
|
}
|
|
}
|