codeql/csharp/ql/src/Language Abuse/CatchOfGenericException.ql at d3e580fd0ed0b52c531f0bdaa4e17033dd604c1d · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/**
 * @name Generic catch clause
 * @description Catching all exceptions with a generic catch clause may be overly
 *              broad, which can make errors harder to diagnose.
 * @kind problem
 * @problem.severity recommendation
 * @precision high
 * @id cs/catch-of-all-exceptions
 * @tags quality
 *       reliability
 *       error-handling
 *       external/cwe/cwe-396
 */

import csharp
import semmle.code.csharp.frameworks.System

class GenericCatchClause extends CatchClause {
  GenericCatchClause() {
    this instanceof GeneralCatchClause
    or
    this =
      any(SpecificCatchClause scc |
        scc.getCaughtExceptionType() instanceof SystemExceptionClass and
        not scc.hasFilterClause()
      )
  }
}

from GenericCatchClause gcc
where
  forall(ThrowStmt throw |
    // ok to catch all exceptions if they may be rethrown
    gcc.getBlock().getAChildStmt+() = throw
  |
    exists(throw.getExpr())
  )
select gcc, "Generic catch clause."