Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(weaver): improper exception handling #2767

Closed
jagpreetsinghsasan opened this issue Oct 11, 2023 · 4 comments · Fixed by #2803 or #3324
Closed

fix(weaver): improper exception handling #2767

jagpreetsinghsasan opened this issue Oct 11, 2023 · 4 comments · Fixed by #2803 or #3324
Assignees
@Yogesh01000100
Labels
good-first-issue Good for newcomers good-first-issue-200-intermediate Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together.

Comments

@jagpreetsinghsasan
Copy link
Contributor

Description

Static source code assessment has picked up a potential vulnerability regarding improper exception handling. The possible remediation for the same is to have it enclosed within a try catch block and handle the exceptions accordingly.

The report from which the above information was summarized

Risk Rating: Low
Category: Security Misconfiguration

Description

The application performs some operation, such as database or file access, that could throw an exception. Since the application is not designed to properly handle the exception, the application could crash.

Impact

An attacker could maliciously cause an exception that could crash the application, potentially resulting in a denial of service (DoS) or unexpected behavior under certain erroneous conditions. Exceptions may also occur without any malicious intervention, resulting in general instability.

Remediation Recommendation

Any method that could cause an exception should be wrapped in a try-catch block that:
• Explicitly handles expected exceptions.
• Includes a default solution to explicitly handle unexpected exceptions.

Affected files (path - line number)

weaver/sdks/corda/src/main/kotlin/org/hyperledger/cacti/weaver/sdk/corda/CredentialsExtractor.java - 294,295

Snapshot of the sourcecode at the time of scan

image ---

Source: APP PE Hyperledger Cacti v2.0.0 - Static Application Assessment Report.odt

cc: @takeutak @izuru0 @outSH @petermetz
@jagpreetsinghsasan jagpreetsinghsasan added good-first-issue Good for newcomers Security Related to existing or potential security vulnerabilities Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. good-first-issue-200-intermediate Weaver Tasks related to the future of Cactus & Weaver together. labels Oct 11, 2023
@Yogesh01000100
Copy link
Contributor

Hey @jagpreetsinghsasan In the exception block, should we primarily focus on logging the exception for debugging, or are there specific actions that need to be taken when an exception occurs?

@petermetz
Copy link
Contributor

@Yogesh01000100 I would focus on logging+re-throw.

  1. E.g., if something goes here wrong, I'd say it's best to crash
  2. But crash with information about what was being done so that it will be easier for people looking at the crash logs afterwards to figure out how to fix it.

@Yogesh01000100
Copy link
Contributor

May I be assigned this issue? now that I have a better understanding of the task

@petermetz
Copy link
Contributor

@Yogesh01000100 All yours!

@Yogesh01000100 Yogesh01000100 mentioned this issue Oct 17, 2023
Merged
petermetz pushed a commit that referenced this issue Jan 24, 2024
@Yogesh01000100 @petermetz
fix(weaver): improper exception handling
a33f30c 
Address improper exception handling by wrapping expected exceptions in a
try-catch block and managing them explicitly.

Changes:

- Code is now enclosed within a try-catch to capture exceptions.
- Logs include contextual information for clarity.
- Exceptions re-thrown in getConfig() as part of propagation.

fixes #2767

Signed-off-by: D.Yogesh <yogeshone678@gmail.com>
@petermetz petermetz mentioned this issue Jun 14, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Yogesh01000100 Yogesh01000100

Labels
good-first-issue Good for newcomers good-first-issue-200-intermediate Hacktoberfest Hacktoberfest participants are welcome to take a stab at issues marked with this label. Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together.
Projects
None yet
Milestone
No milestone
3 participants
@petermetz @jagpreetsinghsasan @Yogesh01000100