Correct the run method and add Math.min check · ByteDecoder/codeql@5264936 · GitHub
Skip to content

Commit 5264936

Browse files
committed
Correct the run method and add Math.min check
1 parent 272e4f6 commit 5264936

3 files changed

Lines changed: 27 additions & 6 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-400/ThreadPauseSink.qll

Lines changed: 11 additions & 0 deletions

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,19 +63,29 @@ class ThreadResourceAbuse extends TaintTracking::Configuration {
6363

6464
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
6565
exists(
66-
Method rm, ClassInstanceExpr ce, Argument arg, FieldAccess fa // thread.start() invokes the run() method of thread implementation
66+
Method rm, ClassInstanceExpr ce, Argument arg, Parameter p, FieldAccess fa, int i // thread.start() invokes the run() method of thread implementation
6767
|
6868
rm.hasName("run") and
6969
ce.getConstructedType().getSourceDeclaration() = rm.getSourceDeclaration().getDeclaringType() and
7070
ce.getConstructedType().getASupertype*().hasQualifiedName("java.lang", "Runnable") and
71-
ce.getAnArgument() = arg and
72-
fa = rm.getAnAccessedField().getAnAccess() and
73-
arg.getType() = fa.getField().getType() and
71+
ce.getArgument(i) = arg and
72+
ce.getConstructor().getParameter(i) = p and
73+
fa.getEnclosingCallable() = rm and
74+
DataFlow::localExprFlow(p.getAnAccess(), fa.getField().getAnAssignedValue()) and
7475
node1.asExpr() = arg and
7576
node2.asExpr() = fa
7677
)
7778
}
7879

80+
override predicate isSanitizer(DataFlow::Node node) {
81+
exists(
82+
MethodAccess ma // Math.min(sleepTime, MAX_INTERVAL)
83+
|
84+
ma.getMethod().hasQualifiedName("java.lang", "Math", "min") and
85+
node.asExpr() = ma.getAnArgument()
86+
)
87+
}
88+
7989
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
8090
guard instanceof LessThanSanitizer // if (sleepTime > 0 && sleepTime < 5000) { ... }
8191
}

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java

Lines changed: 2 additions & 2 deletions

0 commit comments

Comments
 (0)