codeql/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClassTest.java at sauyon/java-spring-stringutils · ByteDecoder/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import java.io.Serializable;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectOutput;
import java.io.ObjectInput;

public class NonSerializableInnerClassTest {

  public static class S implements Serializable{}
  public int field;

  public static class Outer1{

    public class Problematic1 implements Serializable{ }

    public class Problematic2 extends S{ }


    @SuppressWarnings("serial")
    public class Ok1 implements Serializable{ }

    public class Ok2 extends S{
      private void readObject(ObjectInputStream oos){}
      private void writeObject(ObjectOutputStream oos){}
    }

    public class Ok3 extends S{
      private void writeObject(ObjectOutputStream oos){}
    }

    public static class Ok4 extends S{ }

    public class Ok5 { }

    // in static contexts enclosing instances don't exist!
    static{
      Serializable ok6 = new Serializable(){ };
    }

    public static Serializable ok7 = new Serializable(){ };

    public static void staticMethod(){
      Serializable ok8 = new Serializable(){ };
    }
  }

  public static class Outer2 extends S {
    public class Ok9 implements Serializable{ }
  }

  public class Problematic3 extends S {
    public class Problematic4 implements Serializable{ }   // because NonSerializableInnerClassTest is not serializable
  }

  // we currently ignore anonymous classes
  public void instanceMethod(){
    Serializable ok_ish1 = new Serializable(){
      public void test(){
        Serializable ok_ish2 = new Serializable(){
          public void test(){
            field = 5;
          }
        };
      }
    };
  }

  // the class is not used anywhere, but the serialVersionUID field is an indicator for later serialization
  private class Problematic7 implements Serializable{
    public static final long serialVersionUID = 123;
  }

  // the class is not used anywhere
  private class Ok10 implements Serializable{ }

  // instantiations of this class are only assigned to non-serializable variables
  private class Ok11 implements Serializable{ }

  public void test(){
    Object o = new Ok11();
    System.out.println(new Ok11());
  }
}