CodeQL documentation

Serialization methods do not match required signature

ID: java/wrong-object-serialization-signature
Kind: problem
Severity: warning
Precision: medium
Tags:
   - reliability
   - maintainability
   - language-features
Query suites:
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

A serializable object that defines its own serialization protocol using the methods readObject and writeObject must use the signature that is expected by the Java serialization framework. Otherwise, the default serialization mechanism is used.

Recommendation

Make sure that the signatures of readObject and writeObject on serializable classes use these exact signatures:

private void readObject(java.io.ObjectInputStream in)
     throws IOException, ClassNotFoundException;
private void writeObject(java.io.ObjectOutputStream out)
     throws IOException;

Example

In the following example, WrongNetRequest defines readObject and writeObject using the wrong signatures. However, NetRequest defines them correctly.

class WrongNetRequest implements Serializable {
	// BAD: Does not match the exact signature required for a custom 
	// deserialization protocol. Will not be called during deserialization.
	void readObject(ObjectInputStream in) {
		//...
	}
	
	// BAD: Does not match the exact signature required for a custom 
	// serialization protocol. Will not be called during serialization.
	protected void writeObject(ObjectOutputStream out) {
		//...
	}
}

class NetRequest implements Serializable {
	// GOOD: Signature for a custom deserialization implementation.
	private void readObject(ObjectInputStream in) {
		//...
	}
	
	// GOOD: Signature for a custom serialization implementation.
	private void writeObject(ObjectOutputStream out) {
		//...
	}
}

References