Programmers often fall into the trap of suppressing or ignoring checked exceptions. Unless there is a valid reason for ignoring exceptions, such as the client cannot be expected to stage a recovery, it is important to handle them appropriately. Because the exception disrupts the expected control flow of the application, care must be taken to ensure that all statements in the try
block, before the catch
block, execute as expected. Failure to take the actual system state into account when the exception is caught may result in security issues if the application continues to execute as if nothing has happened.
Noncompliant Code Example
This noncompliant code example adorns the catch
block with an ignore comment and forgoes appropriate exception handling.
Code Block | ||
---|---|---|
| ||
try { //... } catch(IOException ioe) { // Ignore } |
Noncompliant Code Example
Printing the exception's stack trace can be useful for debugging purposes but is equivalent to ignoring the exception, as this noncompliant code example demonstrates.
Code Block | ||
---|---|---|
| ||
try { //... }catch(IOException ioe) { ioe.printStacktrace(); } |
Note that even though the application reacts to the exception by printing out a stack trace, the application still proceeds as if the exception was not thrown, that is, the future long term behavior of the application does not change based on the throwing of the exception. Given that the resulting IOException
indicates that an operation attempted by the application failed, it is unlikely that the application will be able to operate successfully in the future by assuming that the attempted operation succeeded.
Compliant Solution
This compliant solution attempts to recover from a FileNotFoundException
by forcing the user to specify another file when a particular file does not exist in the user-specific directory.
Code Block | ||
---|---|---|
| ||
try { // Requested file does not exist } catch(FileNotFoundException e) { // Ask the user for a different filename } |
Exceptions
EX1: It is reasonable to ignore handling an exception that occurs within a catch
or finally
block, such as when closing a FileInputStream
object.
EX2: It is also permissible to ignore handling an exception when it is not possible to recover from the exceptional condition at that abstraction level. In such cases, the exception must be thrown so that higher level code can try recovering from the exceptional condition by catching and handling it.
Code Block | ||
---|---|---|
| ||
// When recovery is possible at higher levels private void doSomething() throws FileNotFoundException { // Requested file does not exist; throws FileNotFoundException // Higher level code can handle it by displaying a dialog box and asking // the user for the file name } |
If the higher level code is also incapable of staging a recovery, the checked exception may be wrapped in an unchecked exception and re-thrown.
Code Block | ||
---|---|---|
| ||
try { // Requested file does not exist // User is unable to supply the file name }catch(FileNotFoundException e) { throw new RuntimeException(e); } |
Risk Assessment
Ignoring or suppressing exceptions violates the fail-safe criteria of an application.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXC00- J | low | probable | medium | P4 | L3 |
Automated Detection
TODO
Related Vulnerabilities
References
Wiki Markup |
---|
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html] \[[Bloch 08|AA. Java References#Bloch 08]\] Item 65: "Don't ignore exceptions", Item 62: "Document all exceptions thrown by each method" \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 390|http://cwe.mitre.org/data/definitions/390.html] "Detection of Error Condition Without Action" |
13. Exceptional Behavior (EXC) 13. Exceptional Behavior (EXC) EXC01-J. Use a class dedicated to reporting exceptions