Reino: Errors

Los errores y su tratamiento representan una clase de API. Los errores relacionados con el tratamiento de errores son tan comunes que se merecen una sección por sí mismos. Tal como sucede con los "abusos de la API", hay dos formas de presentar una vulnerabilidad de seguridad relacionada con los errores: la más común es tratar los errores inadecuadamente (o no llegar a hacerlo). La segunda es producir errores que dan demasiada información (a posibles atacantes) o que son difíciles de tratar.

Poor Error Handling: Throw Inside Finally

Java/JSP

Abstract

Usar una instrucción throw dentro de un bloque finally rompe la progresión lógica de try-catch-finally.

Explanation

En Java, los bloques finally siempre se ejecutan después de su bloque try-catch correspondiente y se utilizan frecuentemente para liberar recursos asignados, como controladores de archivos o cursores de base de datos. Lanzar una excepción en un bloque finally puede derivar el código de limpieza crítico, puesto que la ejecución normal del programa se interrumpirá.

Ejemplo 1: en el código siguiente, la llamada para stmt.close() se deriva cuando se lanza la FileNotFoundException.


public void processTransaction(Connection conn) throws FileNotFoundException
{
    FileInputStream fis = null;
    Statement stmt = null;
    try
    {
        stmt = conn.createStatement();
        fis = new FileInputStream("badFile.txt");
        ...
    }
    catch (FileNotFoundException fe)
    {
        log("File not found.");
    }
    catch (SQLException se)
    {
        //handle error
    }
    finally
    {
        if (fis == null)
        {
            throw new FileNotFoundException();
        }

        if (stmt != null)
        {
            try
            {
                stmt.close();
            }
            catch (SQLException e)
            {
                log(e);
            }
        }
    }
}

References

[1] Sun Microsystems, Inc. Java Sun Tutorial

[2] ERR05-J. Do not let checked exceptions escape from a finally block CERT

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 398

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272

[9] Standards Mapping - FIPS200 AU

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SI-11 Error Handling (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SI-11 Error Handling

[13] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation

[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

desc.structural.java.poor_error_handling_throw_inside_finally