# Unchecked Error Condition (CWE-391)

The product does not properly check when a function or operation returns a value that is associated with an error condition.

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 1개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

When error conditions are not checked, the application may continue with invalid or unexpected state, potentially leading to crashes, data corruption, or security vulnerabilities.

## Prevention

3개의 Shoulder 탐지 규칙을 기반으로 한 Unchecked Error Condition 예방 전략.

### Go

Log or return errors instead of silently swallowing them

### JavaScript

Always handle promise rejections with .catch() or try/catch in async functions

### Python

Log exceptions or handle them explicitly instead of silently swallowing with pass

## Warning Signs

- [HIGH] Promise at ... lacks rejection handler (.catch or try-catch)
- [HIGH] promises that are created or called without proper rejection handlers
- [MEDIUM] empty except blocks that silently swallow exceptions

## Consequences

- DoS
- 승인되지 않은 코드 실행
- 애플리케이션 데이터 수정

## Mitigations

- 모든 반환값과 오류 조건을 확인하세요
- 필요한 곳에서는 예외 처리를 사용하세요
- 적절한 오류 복구 메커니즘을 구현하세요

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Empty Error Handling** [LOW]: Error check block is empty, silently swallowing errors.
  - Remediation: Log or return errors instead of ignoring them silently.

```go
if err != nil {
    log.Printf("operation failed: %v", err)
    return err
}
```

Learn more: https://shoulder.dev/learn/go/cwe-391/empty-error-handling

### Javascript (1 rules)

- **Unhandled Promise Rejection** [HIGH]: Detects promises that are created or called without proper rejection handlers.
Unhandled promise rejections can cause application crashes, expose sensitive error
information, and lead to inconsistent application state.

In Node.js, unhandled promise rejections will terminate the process in future versions,
making this a critical reliability and security issue.
  - Remediation: Always handle promise rejections using one of these methods:

1. Use .catch() for promise chains
2. Use try-catch with async/await
3. Add global handlers for unhandled rejections

Example safe patterns:
```javascript
// ✅ SAFE - Using .catch()
fetch(url)
  .then(response => response.json())
  .then(data => processData(data))
  .catch(error => {
    logger.error('Fetch failed:', error);
    // Handle error appropriately
  });

// ✅ SAFE - Using async/await with try-catch
async function fetchData() {
  try {
    const response = await fetch(url);
    const data = await response.json();
    return processData(data);
  } catch (error) {
    logger.error('Fetch failed:', error);
    throw error; // Re-throw or handle
  }
}

// ✅ SAFE - Global handler (fallback)
process.on('unhandledRejection', (reason, promise) => {
  logger.error('Unhandled Rejection:', reason);
  // Optionally exit process for safety
  process.exit(1);
});
```

### Typescript (1 rules)

- **Unhandled Promise Rejection** [HIGH]: Detects promises that are created or called without proper rejection handlers.
Unhandled promise rejections can cause application crashes, expose sensitive error
information, and lead to inconsistent application state.

In Node.js, unhandled promise rejections will terminate the process in future versions,
making this a critical reliability and security issue.
  - Remediation: Always handle promise rejections using one of these methods:

1. Use .catch() for promise chains
2. Use try-catch with async/await
3. Add global handlers for unhandled rejections

Example safe patterns:
```javascript
// ✅ SAFE - Using .catch()
fetch(url)
  .then(response => response.json())
  .then(data => processData(data))
  .catch(error => {
    logger.error('Fetch failed:', error);
    // Handle error appropriately
  });

// ✅ SAFE - Using async/await with try-catch
async function fetchData() {
  try {
    const response = await fetch(url);
    const data = await response.json();
    return processData(data);
  } catch (error) {
    logger.error('Fetch failed:', error);
    throw error; // Re-throw or handle
  }
}

// ✅ SAFE - Global handler (fallback)
process.on('unhandledRejection', (reason, promise) => {
  logger.error('Unhandled Rejection:', reason);
  // Optionally exit process for safety
  process.exit(1);
});
```

### Python (1 rules)

- **Empty Exception Handler** [MEDIUM]: Detects empty except blocks that silently swallow exceptions. This can hide
security-critical errors, authentication failures, or data validation issues.
  - Remediation: Log exceptions or handle them explicitly instead of using empty except blocks.

```python
import logging

logger = logging.getLogger(__name__)

try:
    risky_operation()
except Exception as e:
    logger.error(f"Operation failed: {e}", exc_info=True)
    return {'error': 'Operation failed'}, 500
```

Learn more: https://shoulder.dev/learn/python/cwe-391/empty-except