Add SuppressBanSerializableForAndroid annotation

Serialization on Android has a different threat model and requires different solution. Add this new annotation so that it's easier for ISE Hardening to tell these apart from problems in backend code. PiperOrigin-RevId: 693813292
google · Nov 6, 2024 · 04308ea · 04308ea
1 parent 320f454
commit 04308ea
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/...est/java/com/google/errorprone/bugpatterns/testdata/BanSerializableReadNegativeCases.java b/...est/java/com/google/errorprone/bugpatterns/testdata/BanSerializableReadNegativeCases.java
@@ -114,6 +114,19 @@ public static final void directCall3() throws IOException, ClassNotFoundExceptio
     self.readObject(deserializer);
   }
 
+  // code is for Android
+  @SuppressWarnings("BanSerializableRead")
+  public static final void directCall4() throws IOException, ClassNotFoundException {
+    PipedInputStream in = new PipedInputStream();
+    PipedOutputStream out = new PipedOutputStream(in);
+
+    ObjectOutputStream serializer = new ObjectOutputStream(out);
+    ObjectInputStream deserializer = new ObjectInputStream(in);
+
+    BanSerializableReadPositiveCases self = new BanSerializableReadPositiveCases();
+    self.readObject(deserializer);
+  }
+
   // calls to readObject should themselves be excluded in a readObject method
   void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
     BanSerializableReadNegativeCases c = new BanSerializableReadNegativeCases();