Part 3: Error Handling and Result Types - Robust Production Code

Introduction

While building my WAF scanner, I learned that Rust doesn't let you ignore errors. No catching exceptions in a try-catch block and moving on. No silent None returns that you forget to check. The compiler forces you to handle every error explicitly.

This initially felt tedious, but it caught so many bugs before they reached production. A network timeout? Must handle it. JSON parsing failure? Must handle it. Invalid user input? Must handle it. This article shows how I built robust error handling into simple-waf-scanner.

Why Rust's Error Handling is Different

The Problem with Exceptions

Python/Java style:

def fetch_data(url):
    response = requests.get(url)  # Might raise exception
    return response.json()         # Might raise another exception

# Easy to forget error handling
data = fetch_data("https://api.com")  # Crashes if network error

Go style:

data, err := fetchData(url)
if err != nil {
    // Easy to ignore errors
}
// Forgot to check err? Silent bugs!

Rust style:

// Compiler forces you to handle Result
let data = fetch_data(url)?;  // Must use ? or match
// Can't ignore the error - won't compile!

The Result Type

Basic Result

// Result is an enum with two variants
enum Result<T, E> {
    Ok(T),    // Success with value of type T
    Err(E),   // Error with value of type E
}

// Example: parsing a number
fn parse_port(s: &str) -> Result<u16, std::num::ParseIntError> {
    let port: u16 = s.parse()?;  // ? propagates error if parse fails
    Ok(port)
}

// Usage
match parse_port("8080") {
    Ok(port) => println!("Port: {}", port),
    Err(e) => eprintln!("Invalid port: {}", e),
}

The Option Type for Missing Values

// Option for values that might not exist
enum Option<T> {
    Some(T),  // Has a value
    None,     // No value
}

// Example: finding a WAF in headers
fn detect_waf(headers: &HashMap<String, String>) -> Option<String> {
    if let Some(server) = headers.get("server") {
        if server.contains("cloudflare") {
            return Some("Cloudflare".to_string());
        }
    }
    None
}

// Usage
match detect_waf(&headers) {
    Some(waf) => println!("Detected: {}", waf),
    None => println!("No WAF detected"),
}

Real Example: HTTP Request Errors

From my scanner's HTTP client:

use reqwest::Client;
use std::time::Duration;

pub async fn make_request(
    client: &Client,
    url: &str,
    payload: &str,
) -> Result<Response, RequestError> {
    // Build request with timeout
    let response = client
        .get(url)
        .query(&[("q", payload)])
        .timeout(Duration::from_secs(10))
        .send()
        .await?;  // ? converts reqwest::Error to RequestError
    
    Ok(Response {
        status: response.status().as_u16(),
        headers: extract_headers(&response),
        body: response.text().await?,
    })
}

pub struct Response {
    pub status: u16,
    pub headers: HashMap<String, String>,
    pub body: String,
}

// Custom error type
#[derive(Debug)]
pub enum RequestError {
    Network(reqwest::Error),
    Timeout,
    InvalidUrl,
}

// Convert from reqwest::Error to our error type
impl From<reqwest::Error> for RequestError {
    fn from(err: reqwest::Error) -> Self {
        if err.is_timeout() {
            RequestError::Timeout
        } else {
            RequestError::Network(err)
        }
    }
}

The `?` Operator

Before and After

Without ? - verbose:

fn load_config(path: &str) -> Result<Config, Error> {
    let content = match std::fs::read_to_string(path) {
        Ok(c) => c,
        Err(e) => return Err(Error::FileRead(e)),
    };
    
    let config: Config = match serde_json::from_str(&content) {
        Ok(cfg) => cfg,
        Err(e) => return Err(Error::JsonParse(e)),
    };
    
    Ok(config)
}

With ? - clean:

fn load_config(path: &str) -> Result<Config, Error> {
    let content = std::fs::read_to_string(path)?;
    let config: Config = serde_json::from_str(&content)?;
    Ok(config)
}

How `?` Works

// These are equivalent:

// Using ?
let value = risky_operation()?;

// Expanded
let value = match risky_operation() {
    Ok(v) => v,
    Err(e) => return Err(e.into()),  // .into() converts error types
};

Custom Error Types

Simple String Errors

type Result<T> = std::result::Result<T, String>;

fn validate_url(url: &str) -> Result<()> {
    if !url.starts_with("http://") && !url.starts_with("https://") {
        return Err("URL must start with http:// or https://".to_string());
    }
    Ok(())
}

Enum-Based Errors

Better approach - structured errors:

#[derive(Debug)]
pub enum ScanError {
    InvalidUrl(String),
    NetworkError(reqwest::Error),
    JsonError(serde_json::Error),
    PayloadNotFound(String),
    Timeout,
    RateLimited,
}

impl std::fmt::Display for ScanError {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        match self {
            ScanError::InvalidUrl(url) => write!(f, "Invalid URL: {}", url),
            ScanError::NetworkError(e) => write!(f, "Network error: {}", e),
            ScanError::JsonError(e) => write!(f, "JSON parse error: {}", e),
            ScanError::PayloadNotFound(id) => write!(f, "Payload not found: {}", id),
            ScanError::Timeout => write!(f, "Request timed out"),
            ScanError::RateLimited => write!(f, "Rate limited by server"),
        }
    }
}

impl std::error::Error for ScanError {}

Real Error Type from My Scanner

Complete implementation:

use std::fmt;

#[derive(Debug)]
pub enum WafScanError {
    // HTTP related
    RequestFailed(String),
    InvalidResponse,
    Timeout,
    
    // Payload related
    PayloadLoadFailed(std::io::Error),
    PayloadParseFailed(serde_json::Error),
    InvalidPayload(String),
    
    // Configuration
    InvalidConfig(String),
    MissingConfig(String),
    
    // Consent
    ConsentRequired,
    ConsentDeclined,
}

impl fmt::Display for WafScanError {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        match self {
            WafScanError::RequestFailed(msg) => {
                write!(f, "HTTP request failed: {}", msg)
            }
            WafScanError::InvalidResponse => {
                write!(f, "Received invalid HTTP response")
            }
            WafScanError::Timeout => {
                write!(f, "Request timed out")
            }
            WafScanError::PayloadLoadFailed(e) => {
                write!(f, "Failed to load payload file: {}", e)
            }
            WafScanError::PayloadParseFailed(e) => {
                write!(f, "Failed to parse payload JSON: {}", e)
            }
            WafScanError::InvalidPayload(msg) => {
                write!(f, "Invalid payload: {}", msg)
            }
            WafScanError::InvalidConfig(msg) => {
                write!(f, "Invalid configuration: {}", msg)
            }
            WafScanError::MissingConfig(field) => {
                write!(f, "Missing required config: {}", field)
            }
            WafScanError::ConsentRequired => {
                write!(f, "User consent required for scanning")
            }
            WafScanError::ConsentDeclined => {
                write!(f, "User declined consent")
            }
        }
    }
}

impl std::error::Error for WafScanError {}

// Automatic conversion from other error types
impl From<std::io::Error> for WafScanError {
    fn from(err: std::io::Error) -> Self {
        WafScanError::PayloadLoadFailed(err)
    }
}

impl From<serde_json::Error> for WafScanError {
    fn from(err: serde_json::Error) -> Self {
        WafScanError::PayloadParseFailed(err)
    }
}

impl From<reqwest::Error> for WafScanError {
    fn from(err: reqwest::Error) -> Self {
        if err.is_timeout() {
            WafScanError::Timeout
        } else {
            WafScanError::RequestFailed(err.to_string())
        }
    }
}

Using the Custom Error

use std::fs;

pub type Result<T> = std::result::Result<T, WafScanError>;

pub async fn load_payloads(path: &str) -> Result<Vec<Payload>> {
    // Read file - io::Error auto-converted to WafScanError
    let content = fs::read_to_string(path)?;
    
    // Parse JSON - serde_json::Error auto-converted
    let payloads: Vec<Payload> = serde_json::from_str(&content)?;
    
    // Validate payloads
    for payload in &payloads {
        validate_payload(payload)?;
    }
    
    Ok(payloads)
}

fn validate_payload(payload: &Payload) -> Result<()> {
    if payload.id.is_empty() {
        return Err(WafScanError::InvalidPayload(
            "Payload ID cannot be empty".to_string()
        ));
    }
    
    if payload.value.is_empty() {
        return Err(WafScanError::InvalidPayload(
            "Payload value cannot be empty".to_string()
        ));
    }
    
    Ok(())
}

Error Handling Patterns

Pattern 1: Propagate with `?`

pub async fn scan_target(url: &str) -> Result<ScanResults> {
    // All errors automatically propagated
    let client = build_http_client()?;
    let payloads = load_payloads("payloads.json").await?;
    let waf = detect_waf(&client, url).await?;
    let findings = test_payloads(&client, url, &payloads).await?;
    
    Ok(ScanResults { waf, findings })
}

Pattern 2: Match for Different Handling

pub async fn test_payload(payload: &Payload) -> Option<Finding> {
    match make_request(payload).await {
        Ok(response) => {
            if is_bypass(&response) {
                Some(Finding::new(payload, response))
            } else {
                None
            }
        }
        Err(WafScanError::Timeout) => {
            // Timeout might indicate blocking
            println!("Request timed out for payload: {}", payload.id);
            None
        }
        Err(WafScanError::RateLimited) => {
            // Wait and retry
            tokio::time::sleep(Duration::from_secs(5)).await;
            None
        }
        Err(e) => {
            eprintln!("Error testing payload {}: {}", payload.id, e);
            None
        }
    }
}

Pattern 3: Convert Error to Option

// When you want to ignore errors
pub fn try_parse_port(s: &str) -> Option<u16> {
    s.parse().ok()  // .ok() converts Result<T, E> to Option<T>
}

// Or use in chain
let port = config.get("port")
    .and_then(|s| s.parse().ok())
    .unwrap_or(8080);  // Default if missing or invalid

Pattern 4: Collect Results

// Process multiple items, stop on first error
pub async fn test_all_payloads(
    payloads: &[Payload]
) -> Result<Vec<Finding>> {
    let mut findings = Vec::new();
    
    for payload in payloads {
        // ? stops on first error
        let finding = test_payload(payload).await?;
        findings.push(finding);
    }
    
    Ok(findings)
}

// Or collect with fallible iterator
pub async fn test_all_payloads_v2(
    payloads: &[Payload]
) -> Result<Vec<Finding>> {
    let futures: Vec<_> = payloads
        .iter()
        .map(|p| test_payload(p))
        .collect();
    
    // Wait for all, stop on first error
    let findings = futures::future::try_join_all(futures).await?;
    Ok(findings)
}

Pattern 5: Continue on Errors

// Process all items, log errors but continue
pub async fn test_all_payloads_best_effort(
    payloads: &[Payload]
) -> Vec<Finding> {
    let mut findings = Vec::new();
    
    for payload in payloads {
        match test_payload(payload).await {
            Ok(finding) => findings.push(finding),
            Err(e) => {
                eprintln!("Failed to test {}: {}", payload.id, e);
                // Continue with next payload
            }
        }
    }
    
    findings
}

Option Combinators

Useful Option Methods

let headers: HashMap<String, String> = get_headers();

// .unwrap_or() - provide default
let server = headers.get("server").unwrap_or(&String::from("unknown"));

// .unwrap_or_else() - compute default lazily
let server = headers.get("server")
    .unwrap_or_else(|| {
        println!("Server header missing");
        &String::from("unknown")
    });

// .map() - transform if Some
let server_len = headers.get("server")
    .map(|s| s.len());  // Option<usize>

// .and_then() - chain operations
let waf_name = headers.get("server")
    .and_then(|s| detect_waf_from_header(s));

// .filter() - keep only if condition met
let cloudflare = headers.get("server")
    .filter(|s| s.contains("cloudflare"));

// .ok_or() - convert to Result
let server = headers.get("server")
    .ok_or(WafScanError::MissingConfig("server header".to_string()))?;

Real Example: WAF Detection

pub fn detect_waf_from_response(response: &Response) -> Option<String> {
    // Try multiple detection methods
    response.headers.get("server")
        .and_then(|s| detect_from_server_header(s))
        .or_else(|| detect_from_cookies(&response.headers))
        .or_else(|| detect_from_body(&response.body))
}

fn detect_from_server_header(header: &str) -> Option<String> {
    let header_lower = header.to_lowercase();
    
    if header_lower.contains("cloudflare") {
        Some("Cloudflare".to_string())
    } else if header_lower.contains("akamai") {
        Some("Akamai".to_string())
    } else {
        None
    }
}

Result Combinators

Useful Result Methods

// .map() - transform success value
let port: Result<u16, _> = get_port_string()
    .map(|s| s.parse().unwrap_or(8080));

// .map_err() - transform error
let config: Result<Config, WafScanError> = load_config()
    .map_err(|e| WafScanError::InvalidConfig(e.to_string()));

// .and_then() - chain fallible operations
let validated_url = get_url()
    .and_then(|url| validate_url(&url))
    .and_then(|url| normalize_url(&url));

// .or_else() - try alternative on error
let payloads = load_custom_payloads()
    .or_else(|_| load_default_payloads());

// .unwrap_or() - get value or default
let config = load_config().unwrap_or(Config::default());

// .unwrap_or_else() - compute default
let config = load_config().unwrap_or_else(|e| {
    eprintln!("Config error: {}, using defaults", e);
    Config::default()
});

Error Context with `anyhow`

For applications (not libraries), anyhow provides easy error handling:

use anyhow::{Context, Result};

pub async fn run_scan(config: &Config) -> Result<()> {
    let payloads = load_payloads(&config.payload_file)
        .context("Failed to load payloads")?;
    
    let client = build_client()
        .context("Failed to create HTTP client")?;
    
    let results = scan_with_payloads(&client, &payloads).await
        .context(format!("Scan failed for target: {}", config.url))?;
    
    save_results(&results)
        .context("Failed to save results")?;
    
    Ok(())
}

// Error output includes full chain:
// Error: Failed to save results
// Caused by:
//     0: Permission denied
//     1: os error 13

Logging Errors

Using `log` crate

use log::{error, warn, info, debug};

pub async fn test_payload(payload: &Payload) -> Result<Option<Finding>> {
    debug!("Testing payload: {}", payload.id);
    
    match make_request(payload).await {
        Ok(response) => {
            info!("Payload {} returned status {}", payload.id, response.status);
            
            if is_bypass(&response) {
                info!("✓ Payload {} bypassed WAF", payload.id);
                Ok(Some(Finding::new(payload, response)))
            } else {
                debug!("Payload {} blocked", payload.id);
                Ok(None)
            }
        }
        Err(WafScanError::Timeout) => {
            warn!("Timeout testing payload {}", payload.id);
            Ok(None)
        }
        Err(e) => {
            error!("Error testing payload {}: {}", payload.id, e);
            Err(e)
        }
    }
}

Initialize Logging

// In main.rs
use env_logger;

fn main() {
    // Initialize logger
    env_logger::init();
    
    // Run application
    if let Err(e) = run() {
        error!("Application error: {}", e);
        std::process::exit(1);
    }
}

// Set log level with environment variable:
// RUST_LOG=debug cargo run
// RUST_LOG=info cargo run

Testing Error Handling

Unit Tests

#[cfg(test)]
mod tests {
    use super::*;
    
    #[test]
    fn test_invalid_url() {
        let result = validate_url("not-a-url");
        assert!(result.is_err());
        
        match result {
            Err(WafScanError::InvalidUrl(url)) => {
                assert_eq!(url, "not-a-url");
            }
            _ => panic!("Expected InvalidUrl error"),
        }
    }
    
    #[test]
    fn test_valid_url() {
        let result = validate_url("https://example.com");
        assert!(result.is_ok());
    }
    
    #[tokio::test]
    async fn test_timeout_handling() {
        let result = test_slow_endpoint().await;
        
        match result {
            Err(WafScanError::Timeout) => {
                // Expected
            }
            _ => panic!("Expected timeout error"),
        }
    }
}

Real-World Example: Complete Scan Function

Putting it all together:

use log::{info, warn, error};

pub async fn perform_scan(config: Config) -> Result<ScanReport> {
    info!("Starting scan of {}", config.target_url);
    
    // Validate configuration
    validate_config(&config)?;
    
    // Get user consent
    if !config.skip_consent {
        get_user_consent()
            .ok_or(WafScanError::ConsentDeclined)?;
    }
    
    // Build HTTP client
    let client = Arc::new(build_http_client(&config)?);
    info!("HTTP client configured");
    
    // Load payloads
    let payloads = if let Some(path) = &config.custom_payloads {
        load_payloads(path).await?
    } else {
        get_embedded_payloads()
    };
    info!("Loaded {} payloads", payloads.len());
    
    // Detect WAF
    let waf_detected = detect_waf(&client, &config.target_url).await
        .ok();  // Convert to Option, ignore error
    
    if let Some(ref waf) = waf_detected {
        info!("Detected WAF: {}", waf);
    } else {
        info!("No WAF detected");
    }
    
    // Test payloads concurrently
    let findings = test_payloads_concurrent(
        &client,
        &config.target_url,
        &payloads,
        config.concurrency
    ).await?;
    
    info!("Scan complete: {} findings", findings.len());
    
    Ok(ScanReport {
        target_url: config.target_url,
        waf_detected,
        findings,
        timestamp: chrono::Utc::now(),
    })
}

fn validate_config(config: &Config) -> Result<()> {
    if config.target_url.is_empty() {
        return Err(WafScanError::MissingConfig("target_url".to_string()));
    }
    
    if !config.target_url.starts_with("http://") 
        && !config.target_url.starts_with("https://") {
        return Err(WafScanError::InvalidUrl(config.target_url.clone()));
    }
    
    if config.concurrency == 0 {
        return Err(WafScanError::InvalidConfig(
            "concurrency must be > 0".to_string()
        ));
    }
    
    Ok(())
}

Key Takeaways

No exceptions: Errors are values (Result/Option)
Compiler enforces handling: Can't ignore errors
? operator: Clean error propagation
Custom error types: Structured, informative errors
From trait: Automatic error conversion
Option for missing data: No null pointer errors
Match for exhaustive handling: All cases covered
Combinators: Clean functional error handling
Logging: Track errors in production
Test error paths: Verify error handling works

Common Patterns Summary

// Propagate errors up the call stack
fn foo() -> Result<T> {
    let x = might_fail()?;
    Ok(x)
}

// Provide defaults
let value = might_fail().unwrap_or(default_value);

// Map success values
let doubled = get_number().map(|n| n * 2);

// Chain operations
let result = step1()
    .and_then(|x| step2(x))
    .and_then(|x| step3(x));

// Handle different errors differently
match operation() {
    Ok(value) => use_value(value),
    Err(ErrorType::A) => handle_a(),
    Err(ErrorType::B) => handle_b(),
    Err(e) => handle_other(e),
}

Next in Series

In Part 4: Async Programming with Tokio, we'll explore how to test hundreds of payloads concurrently using async/await and the Tokio runtime. We'll see how Rust enables fearless concurrency without data races.

Based on implementing robust error handling in simple-waf-scanner, ensuring failures are explicit and recoverable.

PreviousPart 2: Ownership, Borrowing, and Lifetimes - Rust's Memory Safety NextPart 4: Async Programming with Tokio - Concurrent Execution

Last updated 15 hours ago

hashtagIntroduction

hashtagWhy Rust's Error Handling is Different

hashtagThe Problem with Exceptions

hashtagThe Result Type

hashtagBasic Result

hashtagThe Option Type for Missing Values

hashtagReal Example: HTTP Request Errors

hashtagThe ? Operator

hashtagBefore and After

hashtagHow ? Works

hashtagCustom Error Types

hashtagSimple String Errors

hashtagEnum-Based Errors

hashtagReal Error Type from My Scanner

hashtagUsing the Custom Error

hashtagError Handling Patterns

hashtagPattern 1: Propagate with ?

hashtagPattern 2: Match for Different Handling

hashtagPattern 3: Convert Error to Option

hashtagPattern 4: Collect Results

hashtagPattern 5: Continue on Errors

hashtagOption Combinators

hashtagUseful Option Methods

hashtagReal Example: WAF Detection

hashtagResult Combinators

hashtagUseful Result Methods

hashtagError Context with anyhow

hashtagLogging Errors

hashtagUsing log crate

hashtagInitialize Logging

hashtagTesting Error Handling

hashtagUnit Tests

hashtagReal-World Example: Complete Scan Function

hashtagKey Takeaways

hashtagCommon Patterns Summary

hashtagNext in Series