ABSTRACT

Returning from inside a finally block will cause exceptions to be lost.

EXPLANATION

A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded.

Example 1: In the following code excerpt, the MagicException thrown by the second call to doMagic with true passed to it will never be delivered to the caller. The return statement inside the finally block will cause the exception to be discarded.


public class MagicTrick {

public static class MagicException extends Exception { }

public static void main(String[] args) {

System.out.println("Watch as this magical code makes an " +
"exception disappear before your very eyes!");

System.out.println("First, the kind of exception handling " +
"you're used to:");
try {
doMagic(false);
} catch (MagicException e) {
// An exception will be caught here
e.printStackTrace();
}

System.out.println("Now, the magic:");
try {
doMagic(true);
} catch (MagicException e) {
// No exception caught here, the finally block ate it
e.printStackTrace();
}
System.out.println("tada!");
}

public static void doMagic(boolean returnFromFinally)
throws MagicException {

try {
throw new MagicException();
}
finally {
if (returnFromFinally) {
return;
}
}
}

}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A7 Improper Error Handling

[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3120 CAT II

[4] Standards Mapping - FIPS200 - (FISMA) AU

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 584

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.2, Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.7