Merge pull request #18480 from github/smowton/admin/document-serialization-proxy

smowton · web-flow · commit 3e10e78c9547 · 2025-01-14T12:34:01.000Z
Java: document serialization proxy pattern
diff --git a/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.qhelp b/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.qhelp
@@ -23,7 +23,9 @@ is not the case. The error will be detected at runtime. </p>
 
 </overview>
 <recommendation>
-<p>Make sure that every non-serializable class that is extended by a serializable class has a no-argument constructor.</p>
+<p>Make sure that every non-serializable class that is extended by a serializable class has a no-argument constructor.
+Alternatively, consider defining a <code>writeReplace</code> method that replaces the <code>Serializable</code> class instance with
+a serialization proxy, so as to avoid direct deserialization of a class whose parent lacks a no-argument constructor.</p>
 
 </recommendation>
 <example>
