Insecure exceptions - Empty or no catch
Need
Proper exception handling and error management
Context
- Usage of TypeScript for adding static typing to JavaScript
- Usage of Express for building web applications and handling HTTP requests
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/', (req, res) => {
try {
// Code that may throw an exception
throw new Error('Something went wrong');
} catch {
// Empty catch statement
}
res.send('Hello World');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in this code is related to insecure exception handling. In the code, there is a try-catch block that attempts to handle any exceptions that may occur within the block of code inside the try block. However, the catch block is empty, meaning that it does not contain any code to handle or log the exception.
This can lead to several issues. Firstly, if an exception occurs within the try block, it will not be properly handled, and the catch block will simply ignore it. This can result in the application crashing or behaving unexpectedly, as the error is not being handled.
Secondly, without proper exception handling, the application loses traceability of the errors presented. This means that it becomes difficult to debug and identify the cause of any errors that occur.
To address this vulnerability, it is recommended to define a proper catch block that handles the exception accordingly. This could involve logging the error, displaying an appropriate error message to the user, or taking any necessary actions to handle the exception gracefully.
Steps
- Remove the empty catch statement
- Add a catch block to handle the exception
- Log or handle the error appropriately within the catch block
Compliant code
import express from 'express';
const app = express();
app.get('/', (req, res) => {
try {
// Code that may throw an exception
throw new Error('Something went wrong');
} catch (error) {
console.error(error); // Log the error
res.status(500).send('Internal Server Error'); // Send an appropriate error response
}
res.send('Hello World');
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by implementing proper exception handling using try-catch blocks.
In the code, the express module is imported and an instance of the express application is created. The application defines a route for the root URL ("/") using the app.get() method.
Inside the route handler function, a try block is used to wrap the code that may potentially throw an exception. In this case, an error is intentionally thrown using the throw keyword with a custom error message.
Immediately after the try block, a catch block is defined to handle any exceptions that may occur within the try block. The catch block takes the error parameter, which represents the caught exception. In this example, the catch block logs the error to the console using console.error() and sends an appropriate error response to the client using res.status().send().
By handling the exception in the catch block, the code prevents the application from crashing and provides a meaningful error response to the client. Additionally, the catch block allows for logging and traceability of the errors presented.
Finally, the application listens on port 3000 using the app.listen() method, and a message is logged to the console indicating that the server is running.
Overall, the fixed code demonstrates proper exception handling by encapsulating potentially error-prone code within a try block and providing a catch block to handle any exceptions that may occur.