require-error-handling
This rule identifies AI SDK calls that aren't wrapped in try-catch blocks. AI calls can fail due to rate limits, network issues, or content filtering.
Ensures AI SDK calls are wrapped in try-catch to prevent cascading failures.
📊 Rule Details
| Property | Value |
|---|---|
| Type | suggestion |
| Severity | 🟠 MEDIUM |
| OWASP Agentic | ASI08: Cascading Failures |
| CWE | CWE-755: Improper Handling of Exceptional Conditions |
| CVSS | 5.0 |
| Config Default | off (recommended), error (strict) |
🔍 What This Rule Detects
This rule identifies AI SDK calls that aren't wrapped in try-catch blocks. AI calls can fail due to rate limits, network issues, or content filtering.
❌ Incorrect Code
// No error handling
async function handler() {
const result = await generateText({
prompt: 'Hello',
});
return result.text;
}
// Missing catch
async function process() {
const stream = await streamText({
prompt: 'Stream this',
});
return stream;
}✅ Correct Code
// With try-catch
async function handler() {
try {
const result = await generateText({
prompt: 'Hello',
});
return result.text;
} catch (error) {
logger.error('AI call failed', error);
throw new AppError('AI service unavailable');
}
}
// Error handling with fallback
async function process() {
try {
const stream = await streamText({
prompt: 'Stream this',
});
return stream;
} catch (error) {
return getFallbackResponse();
}
}⚙️ Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Skip rule in test files |
🛡️ Why This Matters
Unhandled AI errors can cause:
- Cascading failures - One failure crashes entire system
- Information leakage - Stack trace exposes internals
- Poor user experience - Generic error pages
- Silent failures - Problems go unnoticed
🔗 Related Rules
require-audit-logging- Log AI operationsrequire-abort-signal- Enable cancellation
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Try-Catch in Caller
Why: Error handling in calling function is not tracked.
// ❌ NOT DETECTED - Try-catch in caller
async function handler() {
return aiService.generate('Hello'); // aiService has try-catch
}Mitigation: Add error handling at AI call site for clarity.
Global Error Handlers
Why: Express/framework error middleware is not visible.
// ❌ NOT DETECTED (correctly) - Express error handler
app.use(errorHandler); // Catches all errors
async function handler() {
return await generateText({ prompt: 'Hello' });
}Mitigation: Use local error handling for graceful degradation.
Wrapper with Built-in Error Handling
Why: Custom wrappers with internal error handling are not recognized.
// ❌ NOT DETECTED - Wrapper has error handling
const result = await safeGenerateText({ prompt: 'Hello' });Mitigation: Apply rule to wrapper implementations.
Promise.catch()
Why: Promise chain error handling may not be recognized.
// ⚠️ MAY NOT DETECT - Promise catch
generateText({ prompt: 'Hello' })
.then((r) => r.text)
.catch(handleError);Mitigation: Use async/await with try-catch for clarity.
📚 References
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-755 OWASP:A10 CVSS:7.5 | Improper Handling of Exceptional Conditions detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A10_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-755 OWASP:A10 CVSS:7.5 |
| Issue Description | Specific vulnerability | Improper Handling of Exceptional Conditions detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
require-embedding-validation
This rule identifies code patterns where embeddings are stored in vector databases without validation.
require-max-steps
This rule identifies AI SDK calls that use tools but don't specify a `maxSteps` limit. Without limits, AI agents can enter infinite loops calling tools repeated