Audit - Rules - Exception Usage

Description
This group contains audit rules that check for problems related to the use of exceptions within the code.

Rules:

Details

Use of instanceof in Catch Block

Summary
Do not use instanceof to determine an exception's type in a catch block. Such check could miss some unexpected exception.

Description
This audit rule looks for catch blocks where the instanceof operator is used to check the exception's type. Subclasses of the caught exception can be handled separately by including a separate catch block for them before the superclass' catch block.

Security Implications
An uncaught exception can be handled by default exception handling mechanisms, which usually results in an exposure of a stack trace. This provides an attacker with an information on the technology stack of a system which could later be used to implement an attack.

Example
The following code will be flagged as a violation because the instanceof operator is used to check an exception's type:

    } catch (IOException e) {
        if (e instanceof EOFException) {
            ...
        }
        ...
    }