Using a throw
statement inside a finally
block breaks the logical progression through the try-catch-finally
.
In Java, finally
blocks are always executed after their corresponding try-catch
blocks and are often used to free allocated resources, such as file handles or database cursors. Throwing an exception in a finally
block can bypass critical cleanup code since normal program execution will be disrupted.
Example 1: In the following code, the call to stmt.close()
is bypassed when the FileNotFoundException
is thrown.
public void processTransaction(Connection conn) throws FileNotFoundException
{
FileInputStream fis = null;
Statement stmt = null;
try
{
stmt = conn.createStatement();
fis = new FileInputStream("badFile.txt");
...
}
catch (FileNotFoundException fe)
{
log("File not found.");
}
catch (SQLException se)
{
//handle error
}
finally
{
if (fis == null)
{
throw new FileNotFoundException();
}
if (stmt != null)
{
try
{
stmt.close();
}
catch (SQLException e)
{
log(e);
}
}
}
}
[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling
[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A7 Improper Error Handling
[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3120 CAT II
[4] Standards Mapping - FIPS200 - (FISMA) AU
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 398
[6] Sun Microsystems, Inc. Java Sun Tutorial
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.2, Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.7