From 04308eaa5367c538fe7399578782551c7736a816 Mon Sep 17 00:00:00 2001 From: Error Prone Team Date: Wed, 6 Nov 2024 12:00:36 -0800 Subject: [PATCH] Add SuppressBanSerializableForAndroid annotation Serialization on Android has a different threat model and requires different solution. Add this new annotation so that it's easier for ISE Hardening to tell these apart from problems in backend code. PiperOrigin-RevId: 693813292 --- .../testdata/BanSerializableReadNegativeCases.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/core/src/test/java/com/google/errorprone/bugpatterns/testdata/BanSerializableReadNegativeCases.java b/core/src/test/java/com/google/errorprone/bugpatterns/testdata/BanSerializableReadNegativeCases.java index aab8505604f..901132d1b8c 100644 --- a/core/src/test/java/com/google/errorprone/bugpatterns/testdata/BanSerializableReadNegativeCases.java +++ b/core/src/test/java/com/google/errorprone/bugpatterns/testdata/BanSerializableReadNegativeCases.java @@ -114,6 +114,19 @@ public static final void directCall3() throws IOException, ClassNotFoundExceptio self.readObject(deserializer); } + // code is for Android + @SuppressWarnings("BanSerializableRead") + public static final void directCall4() throws IOException, ClassNotFoundException { + PipedInputStream in = new PipedInputStream(); + PipedOutputStream out = new PipedOutputStream(in); + + ObjectOutputStream serializer = new ObjectOutputStream(out); + ObjectInputStream deserializer = new ObjectInputStream(in); + + BanSerializableReadPositiveCases self = new BanSerializableReadPositiveCases(); + self.readObject(deserializer); + } + // calls to readObject should themselves be excluded in a readObject method void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { BanSerializableReadNegativeCases c = new BanSerializableReadNegativeCases();