Skip to content

Empty Try Block Vulnerability

What does this mean ?

Empty try blocks are either dead code or indicate the presence of debug code.

What can happen ?

An empty try block serves no functional purpose. In fact, when compiled to byte code, the empty try block is optimized out and never makes it into the finished program. An empty try block might be indicative of code that has been removed or commented out. Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Recommendation

  • Empty Try block shouldn't be empty or should be removed as it serves no functinoal purpose.

Sample Code

Vulnerable :

string text = "";
try
{
    //text = File.ReadAllText(fileName); // Noncompliant
}
catch (Exception exc) 
{
  logger.Log(exc);
}

Non Vulnerable :

string text = "";
try
{
    text = File.ReadAllText(fileName);
}
catch (Exception exc)
{
    logger.Log(exc);
}

Vulnerable :

try {
  //rs = stmt.executeQuery(query);
}
catch(SQLException e) {
  log(e);
}

Non Vulnerable :

try {
  rs = stmt.executeQuery(query);
}
catch(SQLException e) {
  log(e);
}

Vulnerable :

try {
    //foo(); // Non Compliant
} catch (SomeCustomException $e) { 
}{code}

Non Vulnerable :

try {
    foo(); // Compliant
} catch (SomeCustomException $e) { 
}{code}

References