...
This compliant solution handles a FileNotFoundException
by requesting that the user specify another file name:
Code Block | ||
---|---|---|
| ||
volatile boolean validFlag = false; do { try { // ... // If requested file does not exist, throws FileNotFoundException // If requested file exists, sets validFlag to true validFlag = true; } catch (FileNotFoundException e) { // Ask the user for a different file name } } while (validFlag != true); // Use the file |
...
Code Block | ||
---|---|---|
| ||
public interface Reporter {
public void report(Throwable t);
}
class ExceptionReporterPermission extends Permission {
// ...
}
public class ExceptionReporter {
// Exception reporter that prints the exception
// to the console (used as default)
private static final Reporter PrintException = new Reporter() {
public void report(Throwable t) {
System.err.println(t.toString());
}
};
// Stores the default reporter
// The default reporter can be changed by the user
private static Reporter Default = PrintException;
// Helps change the default reporter back to
// PrintException in the future
public static Reporter getPrintException() {
return PrintException;
}
public static Reporter getExceptionReporter() {
return Default;
}
// May throw a SecurityException (which is unchecked)
public static void setExceptionReporter(Reporter reporter) {
// Custom permission
ExceptionReporterPermission perm = new
ExceptionReporterPermission("exc.reporter");
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
// Check whether the caller has appropriate permissions
sm.checkPermission(perm);
}
// Change the default exception reporter
Default = reporter;
}
}
|
...
Code Block | ||
---|---|---|
| ||
class MyExceptionReporter extends ExceptionReporter { private static final Logger logger = Logger.getLogger("com.organization.Log"); public static void report(Throwable t) { t try {= filter(t); if (t final!= Throwablenull) filteredException{ = logger.log(Level.FINEST, "Loggable exception occurred", t); } (t instanceof NonSensitiveException_1) ? t :} public static Exception filter(Throwable t); { if (t }instanceof finallySensitiveException1) { // DoToo anysensitive, necessaryreturn usernothing reporting (so that no logging happens) // (show dialog box or send to console)return null; } else if (filteredExceptiont instanceof NonSensitiveCommonExceptionSensitiveException2) { // logger.log(Level.FINEST, "Loggable exception occurred", t);Return a default insensitive exception instead } return new FilteredSensitiveException(t); } } public static Exception filter(Throwable t) { if (t instanceof SensitiveForLoggingException_1) { // ... // Return for reporting to the user // Do not log sensitive information (whitelist) return SensitiveCommonException(); } return t; } } // ... Definitions for SensitiveException1, SensitiveException2 // Return for reporting to the user return new NonSensitiveCommonException(); } } and FilteredSensitiveException... |
The report()
method accepts a Throwable
instance and consequently handles all errors, checked exceptions, and unchecked exceptions. The filtering mechanism is based on a whitelisting approach wherein only nonsensitive exceptions are propagated to the user. Exceptions that are forbidden to appear in a log file can be filtered in the same fashion (see FIO13-J. Do not log sensitive information outside a trust boundary). This approach provides the benefits of exception chaining by reporting exceptions tailored to the abstraction while also logging the low-level cause for future failure analysis [Bloch 2008].
...
Consequently, calling methods (or code from a calling thread) can determine that an interrupt was issued [Goetz 2006].
Exceptions
ERR00-J-EX0: Exceptions that occur during the freeing of a resource may be suppressed in those cases where failure to free the resource cannot affect future program behavior. Examples of freeing resources include closing files, network sockets, shutting down threads, and so forth. Such resources are often freed in catch
or finally
blocks and never reused during subsequent execution. Consequently, the exception cannot influence future program behavior through any avenue other than resource exhaustion. When resource exhaustion is adequately handled, it is sufficient to sanitize and log the exception for future improvement; additional error handling is unnecessary in this case.
ERR00-J-EX1: When recovery from an exceptional condition is impossible at a particular abstraction level, code at that level must not handle that exceptional condition. In such cases, an appropriate exception must be thrown so that higher level code can catch the exceptional condition and attempt recovery. The most common implementation for this case is to omit a catch
block and allow the exception to propagate normally:
...
Alternatively, when higher level code is also unable to recover from a particular exception, the checked exception may be wrapped in an unchecked exception and rethrown.
ERR00-J-EX2: An InterruptedException
may be caught and suppressed when extending class Thread
[Goetz 2006]. An interruption request may also be suppressed by code that implements a thread's interruption policy [Goetz 2006, p. 143].
...
Ignoring or suppressing exceptions can result in inconsistent program state.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ERR00-J | Low | Probable | Medium | P4 | L3 |
Automated Detection
Detection of suppressed exceptions is straightforward. Sound determination of which specific cases represent violations of this rule and which represent permitted exceptions to the rule is infeasible. Heuristic approaches may be effective.
Tool | Version | Checker | Description | |||||
---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA. |
...
STRUCT.EXCP.EEH | Empty Exception Handler (Java) | ||||||||
Coverity | 7.5 | MISSING_THROW | Implemented | ||||||
Parasoft Jtest |
| CERT.ERR00.LGE CERT.ERR00.UCATCH | Ensure all exceptions are either logged with a standard logger or rethrown Use a caught exception in the "catch" block | ||||||
PVS-Studio |
| V5301 | |||||||
SonarQube |
| S1166 | Exception handlers should preserve the original exceptions |
Tool | Version | Checker | Description |
---|---|---|---|
Coverity | 7.5 | MISSING_THROW | Implemented |
Parasoft Jtest | 9.5 | SECURITY.UEHL.LGE, UC.UCATCH | Implemented |
Related Vulnerabilities
AMQ-1272 describes a vulnerability in the ActiveMQ service. When ActiveMQ receives an invalid username and password from a Stomp client, a security exception is generated but is subsequently ignored, leaving the client connected with full and unrestricted access to ActiveMQ.
Related Guidelines
Bibliography
Item 62, "Document All Exceptions Thrown by Each Method" | |
Section 5.4, "Blocking and Interruptible Methods" | |
[JLS 2015] |
...
...