-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathThreadResourceAbuse.qll
More file actions
97 lines (87 loc) · 3.42 KB
/
ThreadResourceAbuse.qll
File metadata and controls
97 lines (87 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/** Provides sink models and classes related to pausing thread operations. */
deprecated module;
import java
import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.arithmetic.Overflow
import semmle.code.java.dataflow.FlowSteps
import semmle.code.java.controlflow.Guards
overlay[local?]
private class ActivateModels extends ActiveExperimentalModels {
ActivateModels() { this = "thread-resource-abuse" }
}
/** A sink representing methods pausing a thread. */
class PauseThreadSink extends DataFlow::Node {
PauseThreadSink() { sinkNode(this, "thread-pause") }
}
private predicate lessThanGuard(Guard g, Expr e, boolean branch) {
e = g.(ComparisonExpr).getLesserOperand() and
branch = true
or
e = g.(ComparisonExpr).getGreaterOperand() and
branch = false
}
/** A sanitizer for lessThan check. */
class LessThanSanitizer extends DataFlow::Node {
LessThanSanitizer() { this = DataFlow::BarrierGuard<lessThanGuard/3>::getABarrierNode() }
}
/** Value step from the constructor call of a `Runnable` to the instance parameter (this) of `run`. */
private class RunnableStartToRunStep extends AdditionalValueStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(ConstructorCall cc, Method m |
m.getDeclaringType() = cc.getConstructedType().getSourceDeclaration() and
cc.getConstructedType().getAnAncestor().hasQualifiedName("java.lang", "Runnable") and
m.hasName("run")
|
pred.asExpr() = cc and
succ.(DataFlow::InstanceParameterNode).getEnclosingCallable() = m
)
}
}
/**
* Value step from the constructor call of a `ProgressListener` of Apache File Upload to the
* instance parameter (this) of `update`.
*/
private class ApacheFileUploadProgressUpdateStep extends AdditionalValueStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(ConstructorCall cc, Method m |
m.getDeclaringType() = cc.getConstructedType().getSourceDeclaration() and
cc.getConstructedType()
.getAnAncestor()
.hasQualifiedName(["org.apache.commons.fileupload", "org.apache.commons.fileupload2"],
"ProgressListener") and
m.hasName("update")
|
pred.asExpr() = cc and
succ.(DataFlow::InstanceParameterNode).getEnclosingCallable() = m
)
}
}
/**
* A unit class for adding additional taint steps.
*
* Extend this class to add additional taint steps that should apply to the `ThreadResourceAbuseConfig`.
*/
class ThreadResourceAbuseAdditionalTaintStep extends Unit {
/**
* Holds if the step from `node1` to `node2` should be considered a taint
* step for the `ThreadResourceAbuseConfig` configuration.
*/
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
}
/** A set of additional taint steps to consider when taint tracking thread resource abuse related data flows. */
private class DefaultThreadResourceAbuseAdditionalTaintStep extends ThreadResourceAbuseAdditionalTaintStep
{
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
threadResourceAbuseArithmeticTaintStep(node1, node2)
}
}
/**
* Holds if the step `node1` -> `node2` is an additional taint-step that performs an addition, multiplication,
* subtraction, or division.
*/
private predicate threadResourceAbuseArithmeticTaintStep(
DataFlow::Node fromNode, DataFlow::Node toNode
) {
toNode.asExpr().(ArithExpr).getAnOperand() = fromNode.asExpr()
}