• Home
• org.sonarsource.java
• java-checks
• 3.7
• source code
• S1989.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S1989.html Maven / Gradle / Ivy

  Even though the signatures for methods in a servlet include throws IOException, ServletException,
  it's a bad idea to let such exceptions be thrown.
  Failure to catch exceptions in a servlet could leave a system in a vulnerable state,
  possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when
  a servlet throws an exception, the servlet container typically sends debugging information back to the user.
  And that information which could be very valuable to an attacker.


  This rule checks all exceptions in methods named "do*" are explicitly handled in servlet classes.


Noncompliant Code Example
public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws IOException, ServletException {
  String ip = request.getRemoteAddr();
  InetAddress addr = InetAddress.getByName(ip); // Noncompliant; getByName(String) throws UnknownHostException
  //...
}


Compliant Solution
public void doGet(HttpServletRequest request, HttpServletResponse response)
  throws IOException, ServletException {
  try {
    String ip = request.getRemoteAddr();
    InetAddress addr = InetAddress.getByName(ip);
    //...
  }
  catch (UnknownHostException uhex) {
    //...
  }
}


See

  
MITRE, CWE-600 - Uncaught Exception in Servlet
  
CERT, ERR01-J - Do not allow exceptions to expose sensitive information
  
OWASP Top Ten Category A6 - Sensitive Data Exposure