# Unchecked Error Condition (CWE-391) The product does not properly check when a function or operation returns a value that is associated with an error condition. **Stack:** JavaScript - Prevalence: Mittel 3 Sprachen abgedeckt - Impact: Hoch 1 Regeln mit hohem Schweregrad - Prevention: Dokumentiert 3 Fix-Beispiele **OWASP:** Insecure Design (A04:2021-Insecure Design) - #4 ## Description When error conditions are not checked, the application may continue with invalid or unexpected state, potentially leading to crashes, data corruption, or security vulnerabilities. ## Prevention Präventionsstrategien für Unchecked Error Condition basierend auf 1 Shoulder-Erkennungsregeln. ### JavaScript Always handle promise rejections with .catch() or try/catch in async functions ## Warning Signs - [HIGH] Promise at ... lacks rejection handler (.catch or try-catch) - [HIGH] promises that are created or called without proper rejection handlers ## Consequences - DoS - Nicht autorisierten Code ausführen - Anwendungsdaten ändern ## Mitigations - Alle Rückgabewerte und Fehlerbedingungen prüfen - Wo angemessen, Exception-Handling verwenden - Angemessene Mechanismen zur Fehlerwiederherstellung umsetzen ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Unhandled Promise Rejection** [HIGH]: Detects promises that are created or called without proper rejection handlers. Unhandled promise rejections can cause application crashes, expose sensitive error information, and lead to inconsistent application state. In Node.js, unhandled promise rejections will terminate the process in future versions, making this a critical reliability and security issue. - Remediation: Always handle promise rejections using one of these methods: 1. Use .catch() for promise chains 2. Use try-catch with async/await 3. Add global handlers for unhandled rejections Example safe patterns: ```javascript // ✅ SAFE - Using .catch() fetch(url) .then(response => response.json()) .then(data => processData(data)) .catch(error => { logger.error('Fetch failed:', error); // Handle error appropriately }); // ✅ SAFE - Using async/await with try-catch async function fetchData() { try { const response = await fetch(url); const data = await response.json(); return processData(data); } catch (error) { logger.error('Fetch failed:', error); throw error; // Re-throw or handle } } // ✅ SAFE - Global handler (fallback) process.on('unhandledRejection', (reason, promise) => { logger.error('Unhandled Rejection:', reason); // Optionally exit process for safety process.exit(1); }); ``` ### Typescript (1 rules) - **Unhandled Promise Rejection** [HIGH]: Detects promises that are created or called without proper rejection handlers. Unhandled promise rejections can cause application crashes, expose sensitive error information, and lead to inconsistent application state. In Node.js, unhandled promise rejections will terminate the process in future versions, making this a critical reliability and security issue. - Remediation: Always handle promise rejections using one of these methods: 1. Use .catch() for promise chains 2. Use try-catch with async/await 3. Add global handlers for unhandled rejections Example safe patterns: ```javascript // ✅ SAFE - Using .catch() fetch(url) .then(response => response.json()) .then(data => processData(data)) .catch(error => { logger.error('Fetch failed:', error); // Handle error appropriately }); // ✅ SAFE - Using async/await with try-catch async function fetchData() { try { const response = await fetch(url); const data = await response.json(); return processData(data); } catch (error) { logger.error('Fetch failed:', error); throw error; // Re-throw or handle } } // ✅ SAFE - Global handler (fallback) process.on('unhandledRejection', (reason, promise) => { logger.error('Unhandled Rejection:', reason); // Optionally exit process for safety process.exit(1); }); ```