Skip to content

fix: Replace broad exception handling with specific exception types#2

Merged
Desperado merged 1 commit intoQuality-Max:mainfrom
itinance:fix/specific-exception-handling
Mar 26, 2026
Merged

fix: Replace broad exception handling with specific exception types#2
Desperado merged 1 commit intoQuality-Max:mainfrom
itinance:fix/specific-exception-handling

Conversation

@itinance
Copy link
Copy Markdown
Contributor

@itinance itinance commented Mar 26, 2026

Summary

Replace all bare except Exception: pass blocks with specific, narrowly-scoped exception types that each decoding operation can actually raise.

Problem

The scanner uses except Exception: pass in 6 locations across the codebase — every place it attempts to decode a potentially malicious payload:

try:
    decoded = base64.b64decode(encoded).decode("utf-8", errors="replace")
    ...
except Exception:
    pass

Why this matters

except Exception catches everything — not just the expected binascii.Error or ValueError, but also:

  • MemoryError — a crafted payload with an enormous decoded size would be silently ignored instead of surfacing
  • RecursionError — pathological inputs could blow the stack silently
  • SystemError / RuntimeError — interpreter-level issues would be swallowed
  • Any unexpected bug in the scanner logic itself — typos, logic errors, or regressions would never surface

This creates a scanner evasion vector: a sufficiently creative attacker could craft a payload that triggers an unexpected exception during analysis, causing the scanner to silently skip it and report "all clear."

OWASP Reference

  • A09:2021 – Security Logging and Monitoring Failures: Silent exception swallowing hides failures in security-critical detection logic, reducing the scanner's ability to identify or report threats.

Fix

Each try/except block now catches only the specific exceptions that the contained operations can raise:

Operation Specific Exceptions
base64.b64decode() binascii.Error, ValueError
bytes.fromhex() ValueError
.decode("utf-8") UnicodeDecodeError
zlib.decompress() zlib.error
codecs.decode(_, "rot_13") ValueError, LookupError

This also adds the missing import binascii at the top of the file.

Impact

  • Any expected decoding failure (malformed base64, invalid hex, etc.) is still silently skipped — this is correct behavior since the scanner tries multiple encodings speculatively.
  • Any unexpected failure (bugs, memory issues, new edge cases) will now propagate and be visible in test output, rather than being silently swallowed.

@itinance
fix: Replace broad exception handling with specific exception types
7ef3435 
Replace all bare `except Exception: pass` blocks with the specific
exceptions each decoding operation can actually raise. This prevents
masking unexpected errors that could indicate scanner evasion.
@Desperado
Copy link
Copy Markdown
Contributor

Desperado commented Mar 26, 2026

Another good hardening — scanner evasion via unexpected exceptions is a real vector. Thanks!

@Desperado Desperado merged commit d07b580 into Quality-Max:main Mar 26, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itinance @Desperado