Empty Try Block Vulnerability
What does this mean ?
Empty try blocks either indicate dead code or the existence of debug code.
What can happen ?
A try block that is empty serves no use. In reality, when built to byte code, the empty try block is optimized away and is never included in the final program. An empty try block might indicate that code has been deleted or commented out. Unpredictable behavior results from poor code quality. From the standpoint of the user, this frequently displays as poor usability. It gives a chance for an attacker to stress the system in unanticipated ways.
Recommendation
- Empty The try block should not be empty or deleted because it offers no functional use.
Sample Code
Vulnerable :
string text = "";
try
{
//text = File.ReadAllText(fileName); // Noncompliant
}
catch (Exception exc)
{
logger.Log(exc);
}
Non Vulnerable :
string text = "";
try
{
text = File.ReadAllText(fileName);
}
catch (Exception exc)
{
logger.Log(exc);
}
Vulnerable :
try {
//rs = stmt.executeQuery(query);
}
catch(SQLException e) {
log(e);
}
Non Vulnerable :
try {
rs = stmt.executeQuery(query);
}
catch(SQLException e) {
log(e);
}
Vulnerable :
try {
//foo(); // Non Compliant
} catch (SomeCustomException $e) {
}{code}
Non Vulnerable :
try {
foo(); // Compliant
} catch (SomeCustomException $e) {
}{code}
Vulnerable :
try {
//callback(); // Vulnerable
} catch (e) {
console.log("Failed to run", e);
}
Non Vulnerable :
try {
callback(); // Non Vulnerable
} catch (e) {
console.log("Failed to run", e);
}