A return statement inside a finally block will cause any exception that might be thrown in the try block to be discarded and any value that was originally intended to be returned by the method to be replaced with the value returned in the finally block.

Mitigation and prevention

A finally block should contain only finalization code. Any logic about return values and re-throwing expectations should not be in a finally block.

Example 1

9      int foo2(String name) {
10         try {
11             return Integer.parseInt(name);
12         } catch (NumberFormatException e) {
13             throw e;
14         } finally {
15             return -1;
16         }
17     }

JD.FINRET is reported on line 15: A 'return' in a finally block can cause exceptions to be ignored.

Security guidelines

OWASP 2013:A5 Security Misconfiguration