Sonar扫描到的严重漏洞,如下图所示。
sonar的描述:
Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. That’s because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.
This rule raises an issue on non-Serializable fields, and on collection fields when they are not private (because they could be assigned non-Serializable values externally), and when they are assigned non-Serializable types within the class.
原因:
因为泛型 class 继承了 java.io.Serializable ,需要明确 泛型 T 能不能 序列化。
解决问题:
泛型T 添加限制 T extends java.io.Serializable
完整代码如下:
import java.util.ArrayList;
import java.util.List;
public class RequestList<T extends java.io.Serializable> implements java.io.Serializable {
@Transient
private static final long serialVersionUID = -802357682595188366L;
private List<T> data;
public RequestList()
{
data =new ArrayList<T>();
}
public List<T> getData() {
return data;
}
public void setData(List<T> data) {
this.data = data;
}
}