Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-1989

Exceptions should not be thrown from servlet methods

    Details

    • Message:
      Handle the following exception(s) that could be thrown by "xxx": ExceptionType.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • CERT:
      ERR01-J.
    • CWE:
      CWE-600
    • OWASP:
      A3

      Description

      Even though the signatures for methods in a servlet include throws IOException, ServletException, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. And that information could be very valuable to an attacker.

      This rule checks all exceptions in methods named "do*" are explicitly handled in servlet classes.

      Noncompliant Code Example

      public void doGet(HttpServletRequest request, HttpServletResponse response) 
        throws IOException, ServletException {
        String ip = request.getRemoteAddr();
        InetAddress addr = InetAddress.getByName(ip); // Noncompliant; getByName(String) throws UnknownHostException
        //...
      }
      

      Compliant Solution

      public void doGet(HttpServletRequest request, HttpServletResponse response) 
        throws IOException, ServletException {
        try {
          String ip = request.getRemoteAddr();
          InetAddress addr = InetAddress.getByName(ip);
          //...
        } 
        catch (UnknownHostException uhex) {
          //...
        }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: