SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 86

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 87

changes.mady.by.user Tracey Tamules

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Printing the exception's stack trace can be useful for debugging purposes but results in program execution that is equivalent to suppressing the exception. Printing the stack trace can also result in unintentionally leaking information about the structure and state of the process to an attacker. (See ERR06-J. Do not allow exceptions to expose sensitive information for more information.)

Code Block
bgColor#FFCCCC
try {
  //...
} catch (IOException ioe) {
  ioe.printStacktrace();
}

...

Code Block
bgColor#ccccff
boolean volatile validFlag = false;
do {
  try {
    // If requested file does not exist, throws FileNotFoundException
    // If requested file exists, sets a Boolean flag validFlag to true
    validFlag = true;
  } catch (FileNotFoundException e) {
    // Ask the user for a different file name
  }
} while (validFlag != true);
// Use the file

To comply with ERR06-J. Do not allow exceptions to expose sensitive information, the user is only allowed to access files in a user-specific directory. This prevents any other IOException that escapes the loop from leaking sensitive file system information.

...

Sometimes exceptions must be hidden from the user for security reasons (see ERR06-J. Do not allow exceptions to expose sensitive information). In such cases, one acceptable approach is to subclass the ExceptionReporter class and add a filter() method in addition to overriding the default report() method.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a7285c0e7a6aa6b-3df1f5da-4ab6449e-a8d08061-f518766cc5d013cb58770a8b"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE-390

http://cwe.mitre.org/data/definitions/390.html] "Detection of Error Condition Without Action"

]]></ac:plain-text-body></ac:structured-macro>

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="847f60dc490fe5fa-7c1a4208-4bd5440a-b49da43d-371726f4287cd6c4e07686c3"><ac:plain-text-body><![CDATA[

[[Bloch 2008

AA. Bibliography#Bloch 08]]

Item 65: "Don't ignore exceptions" and Item 62: "Document all exceptions thrown by each method"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6e32b51b7c8fca3e-4e809a4b-437340cc-bbee8038-7bd061d93ee72ecdeba4afcd"><ac:plain-text-body><![CDATA[

[[Goetz 2006

AA. Bibliography#Goetz 06]]

5.4 Blocking and interruptible methods

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b289d0cf980f06f2-efead957-48cc48f9-b861a864-e8858735a5375800cdd296db"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. Bibliography#JLS 05]]

[Chapter 11, Exceptions

http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html]

]]></ac:plain-text-body></ac:structured-macro>

...