Sonar掃描到的嚴重漏洞,如下圖所示。
sonar的描述:
Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. That’s because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.
This rule raises an issue on non-Serializable fields, and on collection fields when they are not private (because they could be assigned non-Serializable values externally), and when they are assigned non-Serializable types within the class.
原因:
因爲泛型 class 繼承了 java.io.Serializable ,需要明確 泛型 T 能不能 序列化。
解決問題:
泛型T 添加限制 T extends java.io.Serializable
完整代碼如下:
import java.util.ArrayList;
import java.util.List;
public class RequestList<T extends java.io.Serializable> implements java.io.Serializable {
@Transient
private static final long serialVersionUID = -802357682595188366L;
private List<T> data;
public RequestList()
{
data =new ArrayList<T>();
}
public List<T> getData() {
return data;
}
public void setData(List<T> data) {
this.data = data;
}
}