Remove local user input and use fluent model

2026-04-28 18:25:24 +02:00 · 2021-09-27 17:33:04 +00:00
parent 5264936fc3
commit 378db7de87
4 changed files with 5 additions and 37 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadPauseSink.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadPauseSink.qll
@@ -9,8 +9,8 @@ private class MathCompDataModel extends SummaryModelCsv {
  override predicate row(string row) {
    row =
      [
-        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;taint",
-        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;taint"
+        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;value",
+        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;value"
      ]
  }
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
@@ -4,6 +4,7 @@
 *              or even resource exhaustion.
 * @kind path-problem
 * @id java/thread-resource-abuse
+ * @problem.severity warning
 * @tags security
 *       external/cwe/cwe-400
 */
@@ -13,32 +14,6 @@ import ThreadPauseSink
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph

-/** The `getInitParameter` method of servlet or JSF. */
-class GetInitParameter extends Method {
-  GetInitParameter() {
-    (
-      this.getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName(["javax.servlet", "jakarta.servlet"],
-            ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or
-      this.getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
-    ) and
-    this.getName() = "getInitParameter"
-  }
-}
-
-/** An access to the `getInitParameter` method. */
-class GetInitParameterAccess extends MethodAccess {
-  GetInitParameterAccess() { this.getMethod() instanceof GetInitParameter }
-}
-
-/* Init parameter input of a Java EE web application. */
-class InitParameterInput extends LocalUserInput {
-  InitParameterInput() { this.asExpr() instanceof GetInitParameterAccess }
-}
-
 private class LessThanSanitizer extends DataFlow::BarrierGuard {
  LessThanSanitizer() { this instanceof ComparisonExpr }

@@ -55,9 +30,7 @@ private class LessThanSanitizer extends DataFlow::BarrierGuard {
 class ThreadResourceAbuse extends TaintTracking::Configuration {
  ThreadResourceAbuse() { this = "ThreadResourceAbuse" }

-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource or source instanceof LocalUserInput
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }

--- a/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected
@@ -3,8 +3,6 @@ edges
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
-| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number |
-| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter |
 nodes
@@ -12,8 +10,6 @@ nodes
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | semmle.label | delayTime : Number |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | semmle.label | delayTime : Number |
-| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
-| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | semmle.label | delayTime : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | semmle.label | getValue(...) : String |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | semmle.label | delayTime |
@@ -22,6 +18,5 @@ nodes
 #select
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
-| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
 | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java
@@ -33,7 +33,7 @@ public class ThreadResourceAbuse extends HttpServlet {
 	}

 	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from init container parameter
+		// Get thread pause time from init container parameter (not detected because LocalUserInput tends to add a lot of FP)
 		String delayTimeStr = getServletContext().getInitParameter("DelayTime");
 		try {
 			int delayTime = Integer.valueOf(delayTimeStr);