Sleep Injection

ID

go.sleep_injection

Severity

critical

Resource

Injection

Language

Go

Tags

CWE:400, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1, PCI-DSS:6.5.6

Description

Improper neutralization of external input used to make a thread to wait.

Rationale

Sleep injection vulnerabilities occur when user-controlled inputs influence the duration of sleep statements, leading to potential exploitation by attackers to cause performance issues.

These vulnerabilities, categorized under CWE-400, can be caused by improper handling of user input without sufficient validation or sanitization, allowing malicious parties to submit large delays that can hinder application availability and responsiveness.

Consider the following vulnerable Golang code:

package main

import (
	"fmt"
	"os"
	"strconv"
	"time"
)

func main() {
	// Check if the program received an argument
	if len(os.Args) < 2 {
		fmt.Println("Please provide a sleep duration in seconds.")
		return
	}

	// Assuming the input is an integer representing seconds
	// Vulnerable: Directly converting the input without validation
	sleepDuration, err := strconv.Atoi(os.Args[1])
	if err != nil {
		fmt.Println("Invalid input. Please enter a number.")
		return
	}

	fmt.Printf("Sleeping for %d seconds...\n", sleepDuration)
	time.Sleep(time.Duration(sleepDuration) * time.Second)
	fmt.Println("Awake!")
}

Here, the sleep duration is externally controlled. A malicious user could pass a large number to delay the server response excessively or tie up server threads.

This kind of issue can be critical in environments where thread or request handling resources are limited (e.g., WSGI servers like Gunicorn or uWSGI).

Remediation

Always validate and sanitize any user input that influences sleep functions or other resource-affecting operations. Impose strict upper bounds on any sleep durations, or better yet, avoid using sleep delays based on client input unless absolutely necessary.

A safe refactoring of the previous example might look like this:

package main

import (
	"fmt"
	"os"
	"strconv"
	"time"
)

func main() {
	if len(os.Args) < 2 {
		fmt.Println("Please provide a sleep duration in seconds.")
		return
	}

	// Convert input to an integer
	sleepDuration, err := strconv.Atoi(os.Args[1])
	if err != nil || sleepDuration < 0 || sleepDuration > 60 {
		fmt.Println("Invalid input. Please enter a number between 0 and 60.")
		return
	}

	fmt.Printf("Sleeping for %d seconds...\n", sleepDuration)
	time.Sleep(time.Duration(sleepDuration) * time.Second)
	fmt.Println("Awake!")
}

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References