Remove local user input and use fluent model

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-400/ThreadPauseSink.qll

@@ -9,8 +9,8 @@ private class MathCompDataModel extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;taint",
-        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;taint"
+        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;value",
+        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;value"
       ]
   }
 }

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql

@@ -4,6 +4,7 @@
  *              or even resource exhaustion.
  * @kind path-problem
  * @id java/thread-resource-abuse
+ * @problem.severity warning
  * @tags security
  *       external/cwe/cwe-400
  */
@@ -13,32 +14,6 @@ import ThreadPauseSink
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
-/** The `getInitParameter` method of servlet or JSF. */
-class GetInitParameter extends Method {
-  GetInitParameter() {
-    (
-      this.getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName(["javax.servlet", "jakarta.servlet"],
-            ["FilterConfig", "Registration", "ServletConfig", "ServletContext"]) or
-      this.getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "ExternalContext")
-    ) and
-    this.getName() = "getInitParameter"
-  }
-}
-
-/** An access to the `getInitParameter` method. */
-class GetInitParameterAccess extends MethodAccess {
-  GetInitParameterAccess() { this.getMethod() instanceof GetInitParameter }
-}
-
-/* Init parameter input of a Java EE web application. */
-class InitParameterInput extends LocalUserInput {
-  InitParameterInput() { this.asExpr() instanceof GetInitParameterAccess }
-}
-
 private class LessThanSanitizer extends DataFlow::BarrierGuard {
   LessThanSanitizer() { this instanceof ComparisonExpr }
 
@@ -55,9 +30,7 @@ private class LessThanSanitizer extends DataFlow::BarrierGuard {
 class ThreadResourceAbuse extends TaintTracking::Configuration {
   ThreadResourceAbuse() { this = "ThreadResourceAbuse" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource or source instanceof LocalUserInput
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
 

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected

@@ -3,17 +3,13 @@ edges
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
-| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number |
-| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter |
 nodes
 | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | semmle.label | delayTime : Number |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | semmle.label | delayTime : Number |
-| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
-| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | semmle.label | delayTime : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | semmle.label | getValue(...) : String |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | semmle.label | delayTime |
@@ -22,6 +18,5 @@ nodes
 #select
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
-| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
 | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java

@@ -33,7 +33,7 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response)
 	}
 
 	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from init container parameter
+		// Get thread pause time from init container parameter (not detected because LocalUserInput tends to add a lot of FP)
 		String delayTimeStr = getServletContext().getInitParameter("DelayTime");
 		try {
 			int delayTime = Integer.valueOf(delayTimeStr);