CWE-754 happens when "software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software." [1]
Take the following snippet of Java code as an example:
private static final int ROLE_ADMIN = 0;
private static final int ROLE_USER = 1;
private static final int ROLE_GUEST = 2;
public static final int getRole() {
String s = lookupRoleInDatabase();
int role = 0;
try {
role = Integer.valueOf(s);
} catch (NumberFormatException e) {
// this shouldn't happen
}
return role;
}
In this case the developer does not expect a NumberFormatException to occur and simply swallows the Exception. This has the nasty side effect of granting admin access because the role variable has a default value of zero (i.e. ADMIN) and this default value is returned if a NumberFormatException is thrown.
Always check and handle exceptional conditions and always perform validation on inputs (even if they come from the database). Also, keep in mind that unusual or exceptional conditions aren't just related to exception handling. Ignoring return values can also lead to incorrect behavior [2].
- http://cwe.mitre.org/top25/#CWE-754
- See examples at http://cwe.mitre.org/data/definitions/754.html
