Plugin: lambda-securityRules
no-error-swallowing
ESLint rule documentation for no-error-swallowing
📡 Live from GitHub — This documentation is fetched directly from no-error-swallowing.md and cached for 6 hours.
Keywords: catch block, error handling, logging, CWE-390, Lambda, serverless, monitoring CWE: CWE-390
OWASP: A09:2021-Security Logging and Monitoring Failures
Detect empty catch blocks and missing error logging
Detects empty catch blocks and catch handlers that don't log errors in Lambda handlers. This rule is part of eslint-plugin-lambda-security and provides LLM-optimized error messages.
⚠️ Security rule | 💡 Provides suggestions | 📋 Set to warn in recommended
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-390 (Error Without Action) |
| Severity | Medium (security/observability) |
| Auto-Fix | 💡 Suggests adding console.error |
| Category | Security |
| Best For | Lambda functions with try/catch error handling |
Vulnerability and Risk
Vulnerability: Swallowing errors without logging hides security incidents, making it impossible to detect attacks, diagnose issues, or understand application behavior.
Risk: Without error logging:
- Security incidents go undetected
- Debugging becomes impossible
- SLA breaches are hidden
- Audit trails are incomplete
Rule Details
This rule detects:
- Empty catch blocks
- Catch blocks without logging statements
- Catch blocks that return without logging
Why This Matters
| Risk | Impact | Solution |
|---|---|---|
| 🕵️ Hidden Attacks | Security breaches go unnoticed | Log all errors with context |
| 🔍 Debugging | Can't diagnose production issues | Include error details in logs |
| 📊 Monitoring | Alarms can't trigger on hidden errors | Integrate with CloudWatch/Datadog |
Configuration
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Allow in test files |
allowWithComment | boolean | true | Allow if comment explains intentional |
{
rules: {
'lambda-security/no-error-swallowing': ['warn', {
allowInTests: true,
allowWithComment: true
}]
}
}Examples
❌ Incorrect
export const handler = async (event) => {
try {
await processEvent(event);
} catch (error) {
// Empty catch - error is completely hidden
} // ❌ Error swallowed
try {
await anotherOperation();
} catch (error) {
return { statusCode: 200 }; // ❌ Returns success without logging
}
};✅ Correct
export const handler = async (event, context) => {
try {
await processEvent(event);
} catch (error) {
console.error('Process failed', {
// ✅ Logged with context
error,
requestId: context.awsRequestId,
event: JSON.stringify(event),
});
return {
statusCode: 500,
body: JSON.stringify({ error: 'Internal error' }),
};
}
};
// Or with structured logger
import { Logger } from '@aws-lambda-powertools/logger';
const logger = new Logger();
export const handler = async (event) => {
try {
await processEvent(event);
} catch (error) {
logger.error('Operation failed', { error }); // ✅ Structured logging
throw error; // ✅ Re-thrown for Lambda retry
}
};✅ Intentional Suppression (with comment)
try {
await optionalCleanup();
} catch (error) {
// intentional: cleanup errors are non-critical ✅ Comment explains
}Error Logging Best Practices
Include Context
catch (error) {
console.error('Payment processing failed', {
error: error.message,
stack: error.stack,
userId: event.userId,
transactionId: event.transactionId,
awsRequestId: context.awsRequestId,
remainingTime: context.getRemainingTimeInMillis()
});
}Structured Logging
import { Logger } from '@aws-lambda-powertools/logger';
const logger = new Logger({ serviceName: 'payment-service' });
catch (error) {
logger.error('Payment failed', {
error,
transactionId: event.transactionId
});
}CloudWatch Metrics
import { Metrics, MetricUnits } from '@aws-lambda-powertools/metrics';
const metrics = new Metrics({ namespace: 'PaymentService' });
catch (error) {
metrics.addMetric('PaymentErrors', MetricUnits.Count, 1);
metrics.addMetadata('errorType', error.name);
console.error(error);
}Security Impact
| Vulnerability | CWE | OWASP | CVSS | Impact |
|---|---|---|---|---|
| Error Without Action | 390 | A09:2021 | 5.0 Medium | Hidden security incidents |
| Insufficient Logging | 778 | A09:2021 | 4.3 Medium | Missing audit trail |
Related Rules
no-exposed-error-details- Don't expose error details to usersrequire-timeout-handling- Handle timeout errors
Known False Positives
Custom Loggers
If you use a custom logger not recognized by the rule:
// Add to recognized patterns
catch (error) {
myCustomLogger.error(error); // May need rule configuration
}Further Reading
- Lambda Logging - AWS documentation
- CWE-390: Error Condition Without Action - Official CWE entry
- AWS Lambda Powertools - Structured logging