Add local input test case and update qldoc

Author: luchua-bc

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.expected

@@ -0,0 +1,23 @@
+edges
+| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number |
+| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
+nodes
+| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
+| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | semmle.label | delayTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | semmle.label | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | semmle.label | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
+subpaths
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+#select
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Possible uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | local user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected

@@ -1,22 +1,22 @@
 edges
 | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number |
-| ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number |
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
 | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number |
-| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
 | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number |
 | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number |
-| ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime |
-| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter |
-| ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) : String | ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number |
-| ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number | UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number |
-| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number |
-| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number |
+| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter |
+| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number |
+| ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number | UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number |
 | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number |
 | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number |
 | UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number | UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number |
@@ -36,16 +36,16 @@ nodes
 | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
 | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | semmle.label | this [post update] [waitTime] : Number |
 | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
-| ThreadResourceAbuse.java:72:15:72:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | semmle.label | this <.field> [waitTime] : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | semmle.label | getValue(...) : String |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | semmle.label | delayTime |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| ThreadResourceAbuse.java:177:17:177:26 | retryAfter | semmle.label | retryAfter |
-| ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number | semmle.label | new UploadListener(...) [slowUploads] : Number |
-| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | semmle.label | uploadDelay : Number |
+| ThreadResourceAbuse.java:176:17:176:26 | retryAfter | semmle.label | retryAfter |
+| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number | semmle.label | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | semmle.label | uploadDelay : Number |
 | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
 | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | semmle.label | this <.field> [post update] [slowUploads] : Number |
 | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
@@ -59,10 +59,10 @@ nodes
 subpaths
 | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number |
 | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number |
-| ThreadResourceAbuse.java:211:49:211:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | ThreadResourceAbuse.java:211:30:211:87 | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number |
 #select
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
-| ThreadResourceAbuse.java:177:17:177:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:177:17:177:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
-| UploadListener.java:35:18:35:28 | slowUploads | ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) : String | UploadListener.java:35:18:35:28 | slowUploads | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:208:28:208:56 | getParameter(...) | user-provided value |
+| ThreadResourceAbuse.java:176:17:176:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
+| UploadListener.java:35:18:35:28 | slowUploads | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | UploadListener.java:35:18:35:28 | slowUploads | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java

@@ -14,7 +14,7 @@ public class ThreadResourceAbuse extends HttpServlet {
 	static final int MAX_RETRY_AFTER = 10*1000;
 
 	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request parameter
+		// BAD: Get thread pause time from request parameter without validation
 		String delayTimeStr = request.getParameter("DelayTime");
 		try {
 			int delayTime = Integer.valueOf(delayTimeStr);
@@ -24,7 +24,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
 	}
 
 	protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request parameter
+		// BAD: Get thread pause time from request parameter without validation
 		try {
 			int delayTime = request.getParameter("nodelay") != null ? 0 : Integer.valueOf(request.getParameter("DelayTime"));
 			new UncheckedSyncAction(delayTime).start();
@@ -33,7 +33,7 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response)
 	}
 
 	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from init container parameter (not detected because LocalUserInput tends to add a lot of FP)
+		// BAD: Get thread pause time from context init parameter without validation
 		String delayTimeStr = getServletContext().getInitParameter("DelayTime");
 		try {
 			int delayTime = Integer.valueOf(delayTimeStr);
@@ -43,7 +43,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 	}
 
 	protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request cookie
+		// GOOD: Get thread pause time from request cookie with validation
 		Cookie[] cookies = request.getCookies();
 
 		for ( int i=0; i<cookies.length; i++) {
@@ -68,8 +68,8 @@ public UncheckedSyncAction(int waitTime) {
 		}
 
 		@Override
-		// BAD: no boundary check on wait time
 		public void run() {
+			// BAD: no boundary check on wait time
 			try {
 				Thread.sleep(waitTime);
 				// Do other updates
@@ -85,9 +85,9 @@ public CheckedSyncAction(int waitTime) {
 			this.waitTime = waitTime;
 		}
 
-		// GOOD: enforce an upper limit on wait time
 		@Override
 		public void run() {
+			// GOOD: enforce an upper limit on wait time
 			try {
 				if (waitTime > 0 && waitTime < 5000) {
 					Thread.sleep(waitTime);
@@ -105,9 +105,9 @@ public CheckedSyncAction2(int waitTime) {
 			this.waitTime = waitTime;
 		}
 
-		// GOOD: enforce an upper limit on wait time
 		@Override
 		public void run() {
+			// GOOD: enforce an upper limit on wait time
 			try {
 				if (waitTime >= 5000) {
 					// No action
@@ -121,7 +121,7 @@ public void run() {
 	}
 
 	protected void doPost2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from init container parameter
+		// GOOD: Get thread pause time from init container parameter with validation
 		String delayTimeStr = getServletContext().getInitParameter("DelayTime");
 		try {
 			int delayTime = Integer.valueOf(delayTimeStr);
@@ -131,7 +131,7 @@ protected void doPost2(HttpServletRequest request, HttpServletResponse response)
 	}
 
 	protected void doHead(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request cookie
+		// BAD: Get thread pause time from request cookie without validation
 		Cookie[] cookies = request.getCookies();
 
 		for ( int i=0; i<cookies.length; i++) {
@@ -168,25 +168,23 @@ int parseRetryAfter(String value) {
 	}
 
 	protected void doHead2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request header
+		// BAD: Get thread pause time from request header without validation
 		String header = request.getHeader("Retry-After");
 		int retryAfter = Integer.parseInt(header);
 
 		try {
-			// BAD: wait for retry-after without input validation
 			Thread.sleep(retryAfter);
 		} catch (InterruptedException ignore) {
 			// ignore
 		}
 	}
 
 	protected void doHead3(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request header
+		// GOOD: Get thread pause time from request header with validation
 		String header = request.getHeader("Retry-After");
 		int retryAfter = parseRetryAfter(header);
 
 		try {
-			// GOOD: wait for retry-after with input validation
 			Thread.sleep(retryAfter);
 		} catch (InterruptedException ignore) {
 			// ignore
@@ -203,7 +201,7 @@ private long getContentLength(HttpServletRequest request) {
 	}
 
 	protected void doHead4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		// Get thread pause time from request header
+		// BAD: Get thread pause time from request header without validation
 		try {
 			String uploadDelayStr = request.getParameter("delay");
 			int uploadDelay = Integer.parseInt(uploadDelayStr);