CodeQL documentation

Poor error handling: empty catch block

ID: cs/empty-catch-block
Kind: problem
Severity: recommendation
Precision: very-high
Tags:
   - reliability
   - readability
   - exceptions
   - external/cwe/cwe-390
   - external/cwe/cwe-391
Query suites:
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

In some languages an empty catch block might be acceptable in certain rare situations such as when a checked exception is guaranteed not to be thrown. C# does not have checked exceptions so any empty catch block is normally a mistake or an instance of bad practice.

Ignoring exceptions that should be dealt with in some way is almost always a very bad idea. If an exception gets ignored it can allow an attacker to introduce unexpected behavior into your program.

Recommendation

Ensure all exceptions are handled correctly.

Example

In this pseudo code example the program keeps running with the same privileges if it fails to drop to lower privileges.

class EmptyCatchBlock
{
    public static void Main(string[] args)
    {
        // ...
        try
        {
            SecurityManager.dropPrivileges();
        }
        catch (PrivilegeDropFailedException e)
        {

        }
        // ...
    }
}

References

  • Common Weakness Enumeration: CWE-390.
  • Common Weakness Enumeration: CWE-391.