# Unchecked Error Condition (CWE-391)

The product does not properly check when a function or operation returns a value that is associated with an error condition.

- Prevalence: Medium 3 languages covered
- Impact: High 1 high-severity rules
- Prevention: Documented 3 fix examples

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

When error conditions are not checked, the application may continue with invalid or unexpected state, potentially leading to crashes, data corruption, or security vulnerabilities.

## Prevention

Prevention strategies for Unchecked Error Condition based on 3 Shoulder detection rules.

### Go

Log or return errors instead of silently swallowing them

### Node.js

Always handle promise rejections with .catch() or try/catch in async functions

### Python

Log exceptions or handle them explicitly instead of silently swallowing with pass

## Warning Signs

- [HIGH] Promise at ... lacks rejection handler (.catch or try-catch)
- [HIGH] promises that are created or called without proper rejection handlers
- [MEDIUM] empty except blocks that silently swallow exceptions

## Consequences

- DoS
- Execute Unauthorized Code
- Modify Application Data

## Mitigations

- Check all return values and error conditions
- Use exception handling where appropriate
- Implement proper error recovery mechanisms

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **Empty Error Handling** [LOW]: Error check block is empty, silently swallowing errors.
  - Remediation: Log or return errors instead of ignoring them silently.

```go
if err != nil {
    log.Printf("operation failed: %v", err)
    return err
}
```

Learn more: https://shoulder.dev/learn/go/cwe-391/empty-error-handling

### Javascript (1 rules)

- **Unhandled Promise Rejection** [HIGH]: Detects promises that are created or called without proper rejection handlers.
Unhandled promise rejections can cause application crashes, expose sensitive error
information, and lead to inconsistent application state.

In Node.js, unhandled promise rejections will terminate the process in future versions,
making this a critical reliability and security issue.
  - Remediation: Always handle promise rejections using one of these methods:

1. Use .catch() for promise chains
2. Use try-catch with async/await
3. Add global handlers for unhandled rejections

Example safe patterns:
```javascript
// ✅ SAFE - Using .catch()
fetch(url)
  .then(response => response.json())
  .then(data => processData(data))
  .catch(error => {
    logger.error('Fetch failed:', error);
    // Handle error appropriately
  });

// ✅ SAFE - Using async/await with try-catch
async function fetchData() {
  try {
    const response = await fetch(url);
    const data = await response.json();
    return processData(data);
  } catch (error) {
    logger.error('Fetch failed:', error);
    throw error; // Re-throw or handle
  }
}

// ✅ SAFE - Global handler (fallback)
process.on('unhandledRejection', (reason, promise) => {
  logger.error('Unhandled Rejection:', reason);
  // Optionally exit process for safety
  process.exit(1);
});
```

### Typescript (1 rules)

- **Unhandled Promise Rejection** [HIGH]: Detects promises that are created or called without proper rejection handlers.
Unhandled promise rejections can cause application crashes, expose sensitive error
information, and lead to inconsistent application state.

In Node.js, unhandled promise rejections will terminate the process in future versions,
making this a critical reliability and security issue.
  - Remediation: Always handle promise rejections using one of these methods:

1. Use .catch() for promise chains
2. Use try-catch with async/await
3. Add global handlers for unhandled rejections

Example safe patterns:
```javascript
// ✅ SAFE - Using .catch()
fetch(url)
  .then(response => response.json())
  .then(data => processData(data))
  .catch(error => {
    logger.error('Fetch failed:', error);
    // Handle error appropriately
  });

// ✅ SAFE - Using async/await with try-catch
async function fetchData() {
  try {
    const response = await fetch(url);
    const data = await response.json();
    return processData(data);
  } catch (error) {
    logger.error('Fetch failed:', error);
    throw error; // Re-throw or handle
  }
}

// ✅ SAFE - Global handler (fallback)
process.on('unhandledRejection', (reason, promise) => {
  logger.error('Unhandled Rejection:', reason);
  // Optionally exit process for safety
  process.exit(1);
});
```

### Python (1 rules)

- **Empty Exception Handler** [MEDIUM]: Detects empty except blocks that silently swallow exceptions. This can hide
security-critical errors, authentication failures, or data validation issues.
  - Remediation: Log exceptions or handle them explicitly instead of using empty except blocks.

```python
import logging

logger = logging.getLogger(__name__)

try:
    risky_operation()
except Exception as e:
    logger.error(f"Operation failed: {e}", exc_info=True)
    return {'error': 'Operation failed'}, 500
```

Learn more: https://shoulder.dev/learn/python/cwe-391/empty-except