Kingdom: Errors

Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with "API Abuse," there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle.

Poor Error Handling: Return Inside Finally

Java/JSP
PHP

Abstract

Returning from inside a finally block will cause exceptions to be lost.

Explanation

A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded.

Example 1: In the following code excerpt, the MagicException thrown by the second call to doMagic with true passed to it will never be delivered to the caller. The return statement inside the finally block will cause the exception to be discarded.


public class MagicTrick {

public static class MagicException extends Exception { }

public static void main(String[] args) {

  System.out.println("Watch as this magical code makes an " +
                     "exception disappear before your very eyes!");

  System.out.println("First, the kind of exception handling " +
                     "you're used to:");
  try {
    doMagic(false);
  } catch (MagicException e) {
    // An exception will be caught here
    e.printStackTrace();
  }

  System.out.println("Now, the magic:");
  try {
    doMagic(true);
  } catch (MagicException e) {
    // No exception caught here, the finally block ate it
    e.printStackTrace();
  }
  System.out.println("tada!");
}

public static void doMagic(boolean returnFromFinally)
throws MagicException {

  try {
    throw new MagicException();
  }
  finally {
    if (returnFromFinally) {
      return;
    }
  }
}

}

References

[1] ERR04-J. Do not complete abruptly from a finally block CERT

[2] Standards Mapping - Common Weakness Enumeration CWE ID 584

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272

[4] Standards Mapping - FIPS200 AU

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SI-11 Error Handling (P2)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SI-11 Error Handling

[8] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[9] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

desc.structural.java.poor_error_handling_return_inside_finally

Abstract

Returning from inside a finally block will cause exceptions to be lost.

Explanation

A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded.

Example 1: In the following code excerpt, the exception thrown by the second call to doMagic with True passed to it will never be delivered to the caller. The return statement inside the finally block will cause the exception to be discarded.

        "disappear before your very eyes!" . PHP_EOL;

echo "First, the kind of exception handling " .
        "you're used to:" . PHP_EOL;

try {
    doMagic(False);
} catch (exception $e) {
    // An exception will be caught here
    echo $e->getMessage();
}

echo "Now, the magic:" . PHP_EOL;

try {
    doMagic(True);
} catch (exception $e) {
    // No exception caught here, the finally block ate it
    echo $e->getMessage();
}

echo "Tada!" . PHP_EOL;

function doMagic($returnFromFinally) {
    try {
        throw new Exception("Magic Exception" . PHP_EOL);
    }
    finally {
        if ($returnFromFinally) {
            return;
        }
    }
}
?>