fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thisura (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FINERACT-437) Fix security vulnerabilities of using generic exceptions and catching throwable and errors
Date Sun, 23 Apr 2017 12:21:04 GMT
Thisura created FINERACT-437:
--------------------------------

             Summary: Fix security vulnerabilities of using generic exceptions and catching
throwable and errors
                 Key: FINERACT-437
                 URL: https://issues.apache.org/jira/browse/FINERACT-437
             Project: Apache Fineract
          Issue Type: Bug
          Components: Accounting, Organization
            Reporter: Thisura
            Assignee: Markus Geiss
            Priority: Minor


There are two types of vulnerabilities related to exceptions reported by sonar

1. Generic exceptions should never be thrown
[MITRE, CWE-397|http://cwe.mitre.org/data/definitions/397.html] - Declaration of Throws for
Generic Exception

2. Throwable and Error should not be caught
[MITRE, CWE-396|http://cwe.mitre.org/data/definitions/396.html] - Declaration of Catch for
Generic Exception
[CERT, ERR07-J|https://www.securecoding.cert.org/confluence/x/BoB3AQ] - Do not throw RuntimeException,
Exception, or Throwable

The rationale behind these vulnerabilities are explained in above links. The proposed solutions
are as follows.

1. Generic exceptions should never be thrown =>  Define and throw a dedicated exception
instead of using a generic one.

2. Throwable and Error should not be caught => Catch Exception instead of Throwable. 




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message