Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Thread suspensions should not be vulnerable to Denial of Service attacks

Vulnerability

CriticalSonarSource default severity
click to learn more

Why is this an issue?

Most modern applications use threads to handle incoming requests or other long-running tasks concurrently. In some cases, the number of concurrent threads is limited to avoid system resource exhaustion due to too numerous actions being run.

When an application uses user-controlled data as a parameter of a thread suspension operation, a Denial of Service attack can be made possible.

What is the potential impact?

An attacker with the capability to insert an arbitrary duration into a thread suspension operation could suspend the corresponding thread for a long time. Depending on the application’s architecture and the thread handling logic, this can lead to a complete Denial of Service of the application.

Indeed, if the number of threads, either created by the application or allocated by a web server, is limited, the attacker will be able to suspend all of them at the same time. Without any remaining thread to handle actions, the application might badly answer, be slowed down, or become completely irresponsive.

How to fix it in Java SE

Code examples

This code is vulnerable to a Denial of Service because it sets a thread’s suspension time from user input without prior validation or sanitation.

Noncompliant code example

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        Long time = Long.parseLong(req.getParameter("time"));
        try {
            Thread.sleep(time); // Noncompliant
        } catch (InterruptedException e) {
            resp.sendError(500);
        }
    }

Compliant solution

protected void compliant(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        Long time = Long.parseLong(req.getParameter("time"));
        try {
            Thread.sleep(Math.min(time, 1000));
        } catch (InterruptedException e) {
            resp.sendError(500);
        }
    }

How does this work?

In most cases, it is discouraged to define a thread suspension time from user-input.

If really necessary, the application should ensure that the provided suspension time is below a safe limit. Such a limit should be evaluated and set to the lowest possible time that ensures the application’s operation and restricts denial of service attacks.

The example compliant code uses the Math.min function to ensure the suspension duration is below the limit of one second.

Note that even when the suspension time is limited, an attacker who submits numerous requests at high speed can still manage always to consume all available threads.

Resources

Standards

OWASP Top 10 2021 Category A3 - Injection
OWASP Top 10 2017 Category A1 - Injection
MITRE, CWE-400 - Uncontrolled Resource Consumption

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

In-IDE

SaaS

Self-Hosted