User-provided data, such as URL parameters, POST data payloads, or cookies, are tainted with user-controlled inputs. Therefore, they should always
be considered untrusted.
Using user-controlled data to define the suspension time of threads execution could allow attackers to suspend thread execution for a long period
of time.
Web servers generally have a limited amount of threads that can run in parallel. With a few requests, attackers can cause a Denial of Service,
making the application unavailable for all users.
Recommended Secure Coding Practices
- Avoid using user-controlled data to define thread execution suspension time.
- Define a maximum suspension time.
Noncompliant Code Example
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
Long time = Long.parseLong(req.getParameter("time"));
Thread.sleep(time); // Noncompliant
// ...
}
Compliant Solution
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
Long time = Long.parseLong(req.getParameter("time"));
Thread.sleep(Math.min(inputTime, 1000));
// ...
}
See