Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFcccc
public class ExceptionLog implements Runnable {
  public void logMessage(String message) {
    FileOutputStream fo = null;
    FileLock lock = null;

    try {
      // This can throw an exception and prevent logging.
      fo = new FileOutputStream(""log_file.txt"", true); 

      // Lock the file so only one thread can write a log message at a time.
      lock = fo.getChannel().lock();

      // Output the log message.
      System.err.println(message);
      fo.write((message + ""\n"").getBytes());
    } 

    // If an exception is caught, the original message to log is lost
    catch (FileNotFoundException e){
      logMessage(""File Not Found Exception.""); 
    }
    catch(IOException e) {
      logMessage(""IO Exception.""); 
    }
    catch (OverlappingFileLockException e) {
      logMessage(""Cannot access file."");
    }
    finally {
      // Clean up by releasing the file lock and closing the file.
      try {
        if (lock != null) {
          lock.release();
        }
        
        if (fo != null) {
          fo.close();
        }
      } catch (IOException e) {
          // This is unexpected.
          throw new RuntimeException(e);
      }
    }
  }

  public void run() {
    try {
      // Some security exception occurs here.
    } catch(SecurityException se) {
        logMessage(""Security Exception has occurred!"");
    }
  }

  public static void main(String[] args) {
    // Start multiple threads logging messages.
    for (int x=1; x<x&lt;=20; x++) {
      (new Thread(new ExceptionLog())).start();
    }
  }    
}

...

Code Block
bgColor#ccccff
public class ExceptionLog implements Runnable {
  Logger logger;
  Integer id;

  public ExceptionLog(Integer i, Logger l) {
    logger = l;
    id = i;
  }

  public void logMessage(String message) {
    // Note that the Java Logger class does not throw exceptions
    // while logging a message.
    logger.log(Level.WARNING, "&quot;From "&quot; + id + "&quot;: "&quot; + message);
  }

  public void run() {
    try {
      // Some security exception occurs here.
    } catch(SecurityException se) {
        logMessage("&quot;Security Exception has occurred!"&quot;);
    }
  }

  public static void main(String[] args) {
    try {
      // Set up the shared logger for use by the multiple threads
      Logger logger = Logger.getLogger("MyLog"&quot;MyLog&quot;);
      FileHandler fh = new FileHandler("&quot;log_file.txt"&quot;, true);
      logger.addHandler(fh);
      logger.setLevel(Level.ALL);
      SimpleFormatter formatter = new SimpleFormatter();
      fh.setFormatter(formatter);

      // Start multiple threads for logging messages
      for (int x=1; x<x&lt;=20; x++) {
        (new Thread(new ExceptionLog(x, logger))).start();
      }
    } catch (SecurityException e) {
        // This is unexpected.
        throw new RuntimeException(e);
    } catch (IOException e) {
        // This is unexpected.
        throw new RuntimeException(e);
    }
  }    
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class Logger|http://java.sun.com/javase/6/docs/api/java/util/logging/Logger.html]
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html]

...

EXC01-J. Do not allow exceptions to transmit sensitive information      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;13. Exceptional Behavior (EXC)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EXC03-J. Try to gracefully recover from system errors