Merge pull request #6717 from luchua-bc/java/thread-resource-abuse

Java: CWE-400 - Query to detect uncontrolled thread resource consumption

Author: smowton

java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql

@@ -0,0 +1,72 @@
+/**
+ * @name Uncontrolled thread resource consumption from local input source
+ * @description Using user input directly to control a thread's sleep time could lead to
+ *              performance problems or even resource exhaustion.
+ * @kind path-problem
+ * @id java/thread-resource-abuse
+ * @problem.severity recommendation
+ * @tags security
+ *       external/cwe/cwe-400
+ */
+
+import java
+import ThreadResourceAbuse
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** The `getInitParameter` method of servlet or JSF. */
+class GetInitParameter extends Method {
+  GetInitParameter() {
+    (
+      this.getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName(["javax.servlet", "jakarta.servlet"],
+            ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or
+      this.getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
+    ) and
+    this.getName() = "getInitParameter"
+  }
+}
+
+/** An access to the `getInitParameter` method. */
+class GetInitParameterAccess extends MethodAccess {
+  GetInitParameterAccess() { this.getMethod() instanceof GetInitParameter }
+}
+
+/* Init parameter input of a Java EE web application. */
+class InitParameterInput extends LocalUserInput {
+  InitParameterInput() { this.asExpr() instanceof GetInitParameterAccess }
+}
+
+/** Taint configuration of uncontrolled thread resource consumption from local user input. */
+class ThreadResourceAbuse extends TaintTracking::Configuration {
+  ThreadResourceAbuse() { this = "ThreadResourceAbuse" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    any(AdditionalValueStep r).step(pred, succ)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(
+      MethodAccess ma // Math.min(sleepTime, MAX_INTERVAL)
+    |
+      ma.getMethod().hasQualifiedName("java.lang", "Math", "min") and
+      node.asExpr() = ma.getAnArgument()
+    )
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof LessThanSanitizer // if (sleepTime > 0 && sleepTime < 5000) { ... }
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, ThreadResourceAbuse conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Possible uncontrolled resource consumption due to $@.",
+  source.getNode(), "local user-provided value"

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.java

@@ -0,0 +1,11 @@
+class SleepTest {
+	public void test(int userSuppliedWaitTime) throws Exception {
+		// BAD: no boundary check on wait time
+		Thread.sleep(userSuppliedWaitTime);
+
+		// GOOD: enforce an upper limit on wait time
+		if (userSuppliedWaitTime > 0 && userSuppliedWaitTime < 5000) {
+			Thread.sleep(userSuppliedWaitTime);
+		}
+	}
+}

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>The <code>Thread.sleep</code> method is used to pause the execution of current thread for 
+specified time. When the sleep time is user-controlled, especially in the web application context, 
+it can be abused to cause all of a server's threads to sleep, leading to denial of service.</p>
+</overview>
+
+<recommendation>
+<p>To guard against this attack, consider specifying an upper range of allowed sleep time or adopting
+the producer/consumer design pattern with <code>Object.wait</code> method to avoid performance 
+problems or even resource exhaustion. For more information, refer to the concurrency tutorial of Oracle
+listed below or <code>java/ql/src/Likely Bugs/Concurrency</code> queries of CodeQL.</p>
+</recommendation>
+
+<example>
+<p>The following example shows a bad situation and a good situation respectively. In the bad situation,
+a thread sleep time comes directly from user input. In the good situation, an upper 
+range check on the maximum sleep time allowed is enforced.</p>
+<sample src="ThreadResourceAbuse.java" />
+</example>
+
+<references>
+<li>
+Snyk:
+<a href="https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGWTUPLOAD-569506">Denial of Service (DoS)
+in com.googlecode.gwtupload:gwtupload</a>.
+</li>
+<li>
+gwtupload:
+<a href="https://github.com/manolo/gwtupload/issues/33">[Fix DOS issue] Updating the 
+AbstractUploadListener.java file</a>.
+</li>
+<li>
+The blog of a gypsy engineer:
+<a href="https://blog.gypsyengineer.com/en/security/cve-2019-17555-dos-via-retry-after-header-in-apache-olingo.html">
+CVE-2019-17555: DoS via Retry-After header in Apache Olingo</a>.
+</li>
+<li>
+Oracle:
+<a href="https://docs.oracle.com/javase/tutorial/essential/concurrency/guardmeth.html">The Java Concurrency Tutorials</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql

@@ -0,0 +1,47 @@
+/**
+ * @name Uncontrolled thread resource consumption
+ * @description Using user input directly to control a thread's sleep time could lead to
+ *              performance problems or even resource exhaustion.
+ * @kind path-problem
+ * @id java/thread-resource-abuse
+ * @problem.severity warning
+ * @tags security
+ *       external/cwe/cwe-400
+ */
+
+import java
+import ThreadResourceAbuse
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** Taint configuration of uncontrolled thread resource consumption. */
+class ThreadResourceAbuse extends TaintTracking::Configuration {
+  ThreadResourceAbuse() { this = "ThreadResourceAbuse" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    any(AdditionalValueStep r).step(pred, succ)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(
+      MethodAccess ma // Math.min(sleepTime, MAX_INTERVAL)
+    |
+      ma.getMethod().hasQualifiedName("java.lang", "Math", "min") and
+      node.asExpr() = ma.getAnArgument()
+    )
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof LessThanSanitizer // if (sleepTime > 0 && sleepTime < 5000) { ... }
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, ThreadResourceAbuse conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Vulnerability of uncontrolled resource consumption due to $@.", source.getNode(),
+  "user-provided value"

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll

@@ -0,0 +1,78 @@
+/** Provides sink models and classes related to pausing thread operations. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.FlowSteps
+
+/** `java.lang.Math` data model for value comparison in the new CSV format. */
+private class MathCompDataModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;value",
+        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;value"
+      ]
+  }
+}
+
+/** Thread pause data model in the new CSV format. */
+private class PauseThreadDataModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.lang;Thread;true;sleep;;;Argument[0];thread-pause",
+        "java.util.concurrent;TimeUnit;true;sleep;;;Argument[0];thread-pause"
+      ]
+  }
+}
+
+/** A sink representing methods pausing a thread. */
+class PauseThreadSink extends DataFlow::Node {
+  PauseThreadSink() { sinkNode(this, "thread-pause") }
+}
+
+/** A sanitizer for lessThan check. */
+class LessThanSanitizer extends DataFlow::BarrierGuard instanceof ComparisonExpr {
+  override predicate checks(Expr e, boolean branch) {
+    e = super.getLesserOperand() and
+    branch = true
+    or
+    e = super.getGreaterOperand() and
+    branch = false
+  }
+}
+
+/** Value step from the constructor call of a `Runnable` to the instance parameter (this) of `run`. */
+private class RunnableStartToRunStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ConstructorCall cc, Method m |
+      m.getDeclaringType() = cc.getConstructedType().getSourceDeclaration() and
+      cc.getConstructedType().getASupertype*().hasQualifiedName("java.lang", "Runnable") and
+      m.hasName("run")
+    |
+      pred.asExpr() = cc and
+      succ.(DataFlow::InstanceParameterNode).getEnclosingCallable() = m
+    )
+  }
+}
+
+/**
+ * Value step from the constructor call of a `ProgressListener` of Apache File Upload to the
+ * instance parameter (this) of `update`.
+ */
+private class ApacheFileUploadProgressUpdateStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ConstructorCall cc, Method m |
+      m.getDeclaringType() = cc.getConstructedType().getSourceDeclaration() and
+      cc.getConstructedType()
+          .getASupertype*()
+          .hasQualifiedName(["org.apache.commons.fileupload", "org.apache.commons.fileupload2"],
+            "ProgressListener") and
+      m.hasName("update")
+    |
+      pred.asExpr() = cc and
+      succ.(DataFlow::InstanceParameterNode).getEnclosingCallable() = m
+    )
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.expected

@@ -0,0 +1,23 @@
+edges
+| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number |
+| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
+nodes
+| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
+| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | semmle.label | delayTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | semmle.label | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | semmle.label | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
+subpaths
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+#select
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Possible uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | local user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql