Skip to main content

Insecure exceptions


The source code uses generic exceptions to handle unexpected errors. Catching generic exceptions obscures the problem that caused the error and promotes a generic way to handle different categories or sources of error. This may cause security vulnerabilities to materialize, as some special flows go unnoticed.

Using a "catch" statement to catch a high-level class such as "Exception" can hide exceptions that deserve special treatment or that should not be handled at that point in the program. It negates the purpose of typified exceptions (e.g., "ValueError", "ConnectionError" and "NullPointerException"), and it can be particularly dangerous if the program grows and starts throwing new types of exceptions, as the new types will not receive any attention when caught by the "catch" statement.