Java: CWE-400 - Query to detect uncontrolled thread resource consumption #6717
Conversation
Open
1 task
Marcono1234
reviewed
Sep 23, 2021
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp
Outdated
Show resolved
Hide resolved
|
Thanks @Marcono1234 and @intrigus-lgtm for reviewing this PR. I've made requested changes. |
Marcono1234
reviewed
Sep 23, 2021
Thanks for considering the review comments!
I have had a closer look at the implementation of this query now; hopefully these comments are useful as well.
Though as usual, feel free to consider them only as suggestions because I am not a member of this project.
java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
Outdated
Show resolved
Hide resolved
|
I've also added a new test case to detect remote source from an HTTP request header such as |
Marcono1234
reviewed
Sep 24, 2021
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
Outdated
Show resolved
Hide resolved
Marcono1234
reviewed
Sep 24, 2021
java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java
Outdated
Show resolved
Hide resolved
java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java
Show resolved
Hide resolved
atorralba
reviewed
Sep 27, 2021
java/ql/src/experimental/Security/CWE/CWE-400/ThreadPauseSink.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
Outdated
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Thread.sleepmethod is used to pause the execution of current thread for specified time. When it is used to keep several relevant tasks in synchronization and the sleep time is user-controlled data, especially in the web application context, it can be abused to cause all of a server's threads to sleep, leading to denial of service.The query detects uncontrolled thread resource consumption in Java EE web applications, which checks:
javaxandjakartapackagesPlease consider to merge the PR. Thanks.
The text was updated successfully, but these errors were encountered: