JD.FINRET

JD.FINRET is found when a return statement occurs in a finally block.

Vulnerability and risk

A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded and any value that was originally intended to be returned by the method to be replaced with the value returned in the finally block.

Mitigation and prevention

A finally block should contain only finalization code. Any logic about return values and re-throwing expectations should not be in a finally block.

Example 1

9
10
11
12
13
14
15
16
17
      int foo2(String name) {
         try {
             return Integer.parseInt(name);
         } catch (NumberFormatException e) {
             throw e;
         } finally {
             return -1;
         }
     }

JD.FINRET is reported on line 15: A 'return' in a finally block can cause exceptions to be ignored.

External guidance

• CERT ERR04-J: Do not complete abruptly from a finally block
• CWE-1032: Security Misconfiguration
• OWASP A6:2017 Security Misconfiguration
• OWASP A5:2021 Security Misconfiguration

Security training

Application security training materials provided by Secure Code Warrior.

• Security Misconfiguration Training Video - Test your skills with a training example