mauron85
Remove or document security of serialization
In this issue there is a security report that states
OBJECT DESERIALIZATION FOUND [M7] [CWE-502] [SAST] Description: WARNING Object deserialization performed on an untrusted resource (e.g. user-supplied input or external storage), can be dangerous if the data for deserialization is tampered by an attacker.
There is 'implements Serializable' found in file
com/marianhello/bgloc/data/ArrayListLocationTemplate.java:
line 9:
line 10: public class ArrayListLocationTemplate extends AbstractLocationTemplate implements Serializable {
line 11: private static final long serialVersionUID = 1234;
The line is line 15
I wonder if the serialization is required here? If not perhaps it could be removed.
If it is required, perhaps you could add a comment explaining why this is necessary and any safeguards that are in place to ensure it is secure, or any pitfalls developers need to know about to be safe?
I realize now there are 2 other instances of implements Serializable in the codebase, so this applies to those 3 places.