Use value step to optimize the taint step and add a test case for Apache file upload listener

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql

@@ -49,7 +49,7 @@ class ThreadResourceAbuse extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    any(ThreadResourceAbuseAdditionalTaintStep r).propagatesTaint(pred, succ)
+    any(AdditionalValueStep r).step(pred, succ)
   }
 
   override predicate isSanitizer(DataFlow::Node node) {

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql

@@ -23,7 +23,7 @@ class ThreadResourceAbuse extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    any(ThreadResourceAbuseAdditionalTaintStep r).propagatesTaint(pred, succ)
+    any(AdditionalValueStep r).step(pred, succ)
   }
 
   override predicate isSanitizer(DataFlow::Node node) {

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.FlowSteps
 
 /** `java.lang.Math` data model for value comparison in the new CSV format. */
 private class MathCompDataModel extends SummaryModelCsv {
@@ -42,49 +43,36 @@ class LessThanSanitizer extends DataFlow::BarrierGuard instanceof ComparisonExpr
   }
 }
 
-/**
- * A unit class for adding additional taint steps that are specific to thread resource abuse.
- */
-class ThreadResourceAbuseAdditionalTaintStep extends Unit {
-  /**
-   * Holds if the step from `pred` to `succ` should be considered a taint
-   * step for thread resource abuse.
-   */
-  abstract predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ);
-}
-
-private class RunnableAdditionalTaintStep extends ThreadResourceAbuseAdditionalTaintStep {
-  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(
-      Method rm, ClassInstanceExpr ce, Argument arg, Parameter p, FieldAccess fa, int i // thread.start() invokes the run() method of thread implementation
+/** Value step from the constructor call of a `Runnable` to the instance parameter (this) of `run`. */
+private class RunnableStartToRunStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ConstructorCall cc, Method m |
+      m.getDeclaringType() = cc.getConstructedType().getSourceDeclaration() and
+      cc.getConstructedType().getASupertype*().hasQualifiedName("java.lang", "Runnable") and
+      m.hasName("run")
     |
-      rm.hasName("run") and
-      ce.getConstructedType().getSourceDeclaration() = rm.getSourceDeclaration().getDeclaringType() and
-      ce.getConstructedType().getASupertype*().hasQualifiedName("java.lang", "Runnable") and
-      ce.getArgument(i) = arg and
-      ce.getConstructor().getParameter(i) = p and
-      fa.getEnclosingCallable() = rm and
-      DataFlow::localExprFlow(p.getAnAccess(), fa.getField().getAnAssignedValue()) and
-      pred.asExpr() = arg and
-      succ.asExpr() = fa
+      pred.asExpr() = cc and
+      succ.(DataFlow::InstanceParameterNode).getEnclosingCallable() = m
     )
   }
 }
 
-private class ApacheFileUploadAdditionalTaintStep extends ThreadResourceAbuseAdditionalTaintStep {
-  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(Method um, VarAccess va, FieldAccess fa, Constructor ce, AssignExpr ar |
-      um.getDeclaringType()
+/**
+ * Value step from the constructor call of a `ProgressListener` of Apache File Upload to the
+ * instance parameter (this) of `update`.
+ */
+private class ApacheFileUploadProgressUpdateStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ConstructorCall cc, Method m |
+      m.getDeclaringType() = cc.getConstructedType().getSourceDeclaration() and
+      cc.getConstructedType()
           .getASupertype*()
-          .hasQualifiedName("org.apache.commons.fileupload", "ProgressListener") and
-      um.hasName("update") and
-      fa.getEnclosingCallable() = um and
-      ce.getDeclaringType() = um.getDeclaringType() and
-      va = ce.getAParameter().getAnAccess() and
-      pred.asExpr() = va and
-      succ.asExpr() = fa and
-      ar.getSource() = va and
-      ar.getDest() = fa.getField().getAnAccess()
+          .hasQualifiedName(["org.apache.commons.fileupload", "org.apache.commons.fileupload2"],
+            "ProgressListener") and
+      m.hasName("update")
+    |
+      pred.asExpr() = cc and
+      succ.(DataFlow::InstanceParameterNode).getEnclosingCallable() = m
     )
   }
 }

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected

@@ -1,22 +1,68 @@
 edges
 | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number |
-| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
+| ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number |
-| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
+| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter |
+| ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) : String | ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number |
+| ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number | UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number |
+| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number |
+| UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number |
+| UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number |
+| UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number | UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number |
+| UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number | UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number |
+| UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number | UploadListener.java:33:7:33:17 | this <.field> [slowUploads] : Number |
+| UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number | UploadListener.java:35:18:35:28 | this <.field> [slowUploads] : Number |
+| UploadListener.java:33:7:33:17 | slowUploads : Number | UploadListener.java:35:18:35:28 | slowUploads |
+| UploadListener.java:33:7:33:17 | this <.field> [slowUploads] : Number | UploadListener.java:33:7:33:17 | slowUploads : Number |
+| UploadListener.java:35:18:35:28 | this <.field> [slowUploads] : Number | UploadListener.java:35:18:35:28 | slowUploads |
 nodes
 | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | semmle.label | delayTime : Number |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | semmle.label | delayTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | semmle.label | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | semmle.label | this <.field> [waitTime] : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | semmle.label | getValue(...) : String |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | semmle.label | delayTime |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | semmle.label | getHeader(...) : String |
 | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | semmle.label | retryAfter |
+| ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number | semmle.label | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | semmle.label | uploadDelay : Number |
+| UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
+| UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | semmle.label | this <.field> [post update] [slowUploads] : Number |
+| UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
+| UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number | semmle.label | parameter this [slowUploads] : Number |
+| UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+| UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+| UploadListener.java:33:7:33:17 | slowUploads : Number | semmle.label | slowUploads : Number |
+| UploadListener.java:33:7:33:17 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+| UploadListener.java:35:18:35:28 | slowUploads | semmle.label | slowUploads |
+| UploadListener.java:35:18:35:28 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+subpaths
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number |
 #select
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
 | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
+| UploadListener.java:35:18:35:28 | slowUploads | ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) : String | UploadListener.java:35:18:35:28 | slowUploads | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java

@@ -192,4 +192,23 @@ protected void doHead3(HttpServletRequest request, HttpServletResponse response)
 			// ignore
 		}
 	}
+
+	private long getContentLength(HttpServletRequest request) {
+		long size = -1;
+		try {
+		  size = Long.parseLong(request.getHeader("Content-length"));
+		} catch (NumberFormatException e) {
+		}
+		return size;
+	}
+
+	protected void doHead4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// Get thread pause time from request header
+		try {
+			String uploadDelayStr = request.getParameter("delay");
+			int uploadDelay = Integer.parseInt(uploadDelayStr);
+
+			UploadListener listener = new UploadListener(uploadDelay, getContentLength(request));
+		} catch (Exception e) { }
+	}
 }

java/ql/test/experimental/query-tests/security/CWE-400/UploadListener.java

@@ -0,0 +1,40 @@
+package test.cwe400.cwe.examples;
+
+import java.io.Serializable;
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.fileupload2.ProgressListener;
+
+public class UploadListener implements ProgressListener, Serializable {
+	protected int slowUploads = 0;
+	private Long bytesRead = 0L;
+	private long contentLength = 0L;
+
+	public UploadListener(int sleepMilliseconds, long requestSize) {
+		slowUploads = sleepMilliseconds;
+		contentLength = requestSize;
+	}
+
+	public long getPercent() {
+		return contentLength != 0 ? bytesRead * 100 / contentLength : 0;
+	}
+
+	public long getBytesRead() {
+		return bytesRead;
+	}
+
+	public void update(long done, long total, int item) {
+		bytesRead = done;
+		contentLength = total;
+
+		// Just a way to slow down the upload process and see the progress bar in fast networks.
+		if (slowUploads > 0 && done < total) {
+			try {
+				Thread.sleep(slowUploads);
+			} catch (Exception e) {
+			}
+		}
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-400/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-fileupload-1.4