Kingdom: Errors

Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with "API Abuse," there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle.

Poor Error Handling: Throw Inside Finally

Java/JSP

Abstract

Using a throw statement inside a finally block breaks the logical progression through the try-catch-finally.

Explanation

In Java, finally blocks are always executed after their corresponding try-catch blocks and are often used to free allocated resources, such as file handles or database cursors. Throwing an exception in a finally block can bypass critical cleanup code since normal program execution will be disrupted.

Example 1: In the following code, the call to stmt.close() is bypassed when the FileNotFoundException is thrown.


public void processTransaction(Connection conn) throws FileNotFoundException
{
    FileInputStream fis = null;
    Statement stmt = null;
    try
    {
        stmt = conn.createStatement();
        fis = new FileInputStream("badFile.txt");
        ...
    }
    catch (FileNotFoundException fe)
    {
        log("File not found.");
    }
    catch (SQLException se)
    {
        //handle error
    }
    finally
    {
        if (fis == null)
        {
            throw new FileNotFoundException();
        }

        if (stmt != null)
        {
            try
            {
                stmt.close();
            }
            catch (SQLException e)
            {
                log(e);
            }
        }
    }
}

References

[1] Sun Microsystems, Inc. Java Sun Tutorial

[2] ERR05-J. Do not let checked exceptions escape from a finally block CERT

[3] Standards Mapping - Common Weakness Enumeration CWE ID 398

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272

[5] Standards Mapping - FIPS200 AU

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SI-11 Error Handling (P2)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SI-11 Error Handling

[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

desc.structural.java.poor_error_handling_throw_inside_finally