JD.UNCAUGHT

JD.UNCAUGHT is a powerful customizable checker that checks for methods listed in parameters, that do not catch all exceptions thrown inside their bodies transitively. A list of the checked exceptions is also a parameter. JD.UNCAUGHT reports a list of exceptions that, theoretically, can be thrown by a method body, which probably requires a safety net - top most catch block that catches all exceptions. By default, the list of methods includes servlet entry points: doGet and doPost, Thread.run() and main() method.

Vulnerability and risk

Unprocessed exceptions not caught by servlet entry methods can lead to system information leaks (like stacktrace) and to XSS errors. However, the framework supports special methods that have to be defined to process exceptions. If a special method is implemented, however; this error should be ignored. For the Thread.run() method, uncaught exceptions can cause unexpected thread termination and possible deadlocks. For the main() method, uncaught exceptions can cause the JVM to halt.

Mitigation and prevention

Wrap the method body in a try block that catches all exceptions, and create a meaningful procedure that deals with exceptions. For servlets, report the stack trace to the server log, but not to the user!

Example 1

16     protected void doPost(HttpServletRequest req, //
17                           HttpServletResponse arg1) //
18             throws ServletException, IOException {
19         String ip = req.getRemoteAddr();
20         InetAddress addr = InetAddress.getByName(ip);
21         // ...
22         arg1.getOutputStream().println("Host name is " +
23                                        addr.getHostName());
24         foo();
25     }
26 
27     static class Ex1 extends RuntimeException { }
28 
29     private static void foo() throws Ex1 {
30         throw new Ex1();
31     }

JD.UNCAUGHT is reported for method 'doPost' declaration on line 16: Method 'doPost' does not catch exceptions 'com.klocwork.jdefects.checkers.ast.samples.JD_UNCAUGHT_Sample_1$Ex1'.

Security training

Application security training materials provided by Secure Code Warrior.