CRITICAL
Rule Definition
An empty "error/fail" block defeats the purpose of http error management.
When an exception occurs, nothing happens and the program fails for an unknown reason. The application can be in an unknown state that will affect subsequent processing.
Since the reason for the issue (the exception type and potential embedded message) are ignored, it will require more time to fix the issue.
Remediation
The error must be handled correctly.
Violation Code Sample
$.ajax({
type: 'POST',
url: '_auth/login',
success: function(res, status, xhr) { window.location.reload(); },
error: function(xhr, status, err) {
// EMPTY so there is a VIOLATION
},
complete: function(xhr, status, err) {
}
});
-------------------------------------------
$.ajax({
type: 'POST',
url: '_auth/login'
})
.done(successHandler)
.fail(function() {
// EMPTY so there is a VIOLATION
})
.always();
Fixed Code Sample
$.ajax({
type: 'POST',
url: '_auth/login',
success: function(res, status, xhr) { window.location.reload(); },
error: function(xhr, status, err) {
alert("An error occured: "+data); // Error has been presented to the user, NO VIOLATION
},
complete: function(xhr, status, err) {
}
});
-------------------------------------------
$.ajax({
type: 'POST',
url: '_auth/login'
})
.done(successHandler)
.fail(function() {
alert("An error occured: "+data); // Error has been presented to the user, NO VIOLATION
})
.always();
Reference
OMG CISQ
http://cwe.mitre.org/data/definitions/391.html
Related Technologies
Technical Criterion
CWE-391 - Unchecked Error Condition
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.