Audit - Rules - Exception UsageDescriptionThis group contains audit rules that check for problems related to the use of exceptions within the code. |
Rules: |
Summary
Do not use instanceof
to determine an exception's type in a catch block. Such check could miss some unexpected exception.
Description
This audit rule looks for catch
blocks where the instanceof
operator is used to check the exception's type. Subclasses of the caught exception can be handled separately by including a separate catch
block for them before the superclass' catch
block.
Security Implications
An uncaught exception can be handled by default exception handling mechanisms, which usually results in an exposure of a stack trace. This provides an attacker with an information on the technology stack of a system which could later be used to implement an attack.
Example
The following code will be flagged as a violation because the instanceof
operator is used to check an exception's type:
} catch (IOException e) {
if (e instanceof EOFException) {
...
}
...
}