Sleep Injection

kotlin.sleep_injection

Severity

critical

Resource

Injection

Language

Kotlin

Description

Improper neutralization of external input used to make a thread to wait.

Rationale

Sleep injection vulnerabilities occur when user-controlled inputs influence the duration of sleep statements, leading to potential exploitation by attackers to cause performance issues.

These vulnerabilities, categorized under CWE-400, can be caused by improper handling of user input without sufficient validation or sanitization, allowing malicious parties to submit large delays that can hinder application availability and responsiveness.

For example, consider the following piece of Kotlin code:

@Throws(InterruptedException::class)
fun delayResponse(input: String?) {
    val sleepTime = input?.toIntOrNull() ?: return
    Thread.sleep(sleepTime.toLong())
}

In this case, if the input is controlled by the user and converted directly into an integer that dictates the sleep time, an attacker might provide excessively high values that could cause the system to sleep for unreasonable amounts of time, effectively putting the service into a Denial of Service condition.

Remediation

To mitigate sleep injection issues in Java, you should ensure proper validation and sanitization of all user inputs that control sleep durations. Employing input validation to enforce sane limits on sleep duration can prevent misuse.

Here’s an example remediation approach:

@Throws(InterruptedException::class)
fun delayResponse(input: String?) {
    val defaultSleepTime = 1000 // default to 1 second
    val maxSleepTime = 5000 // set max limit to 5 seconds

    val sleepTime = input?.toIntOrNull() ?: defaultSleepTime
    val boundedSleepTime = sleepTime.coerceIn(0, maxSleepTime)

    Thread.sleep(boundedSleepTime.toLong())
}

By implementing checks on the input, setting reasonable defaults, and ensuring the sleep time is within an acceptable range, you reduce the risk of sleep injection vulnerabilities. Moreover, consider logging any invalid input attempts for monitoring and correcting potentially malicious activities.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-400 : Uncontrolled Resource Consumption.
OWASP Top 10 2021 - A03 : Injection.