Java: Fix duplicate IDs

Author: henrymercer

config/identical-files.json

@@ -580,5 +580,9 @@
   "IncompleteMultiCharacterSanitization JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll",
     "ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll"
+  ],
+  "ThreadResourceAbuse help": [
+    "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
+    "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
   ]
 }

java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>The <code>Thread.sleep</code> method is used to pause the execution of current thread for 
+specified time. When the sleep time is user-controlled, especially in the web application context, 
+it can be abused to cause all of a server's threads to sleep, leading to denial of service.</p>
+</overview>
+
+<recommendation>
+<p>To guard against this attack, consider specifying an upper range of allowed sleep time or adopting
+the producer/consumer design pattern with <code>Object.wait</code> method to avoid performance 
+problems or even resource exhaustion. For more information, refer to the concurrency tutorial of Oracle
+listed below or <code>java/ql/src/Likely Bugs/Concurrency</code> queries of CodeQL.</p>
+</recommendation>
+
+<example>
+<p>The following example shows a bad situation and a good situation respectively. In the bad situation,
+a thread sleep time comes directly from user input. In the good situation, an upper 
+range check on the maximum sleep time allowed is enforced.</p>
+<sample src="ThreadResourceAbuse.java" />
+</example>
+
+<references>
+<li>
+Snyk:
+<a href="https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGWTUPLOAD-569506">Denial of Service (DoS)
+in com.googlecode.gwtupload:gwtupload</a>.
+</li>
+<li>
+gwtupload:
+<a href="https://github.com/manolo/gwtupload/issues/33">[Fix DOS issue] Updating the 
+AbstractUploadListener.java file</a>.
+</li>
+<li>
+The blog of a gypsy engineer:
+<a href="https://blog.gypsyengineer.com/en/security/cve-2019-17555-dos-via-retry-after-header-in-apache-olingo.html">
+CVE-2019-17555: DoS via Retry-After header in Apache Olingo</a>.
+</li>
+<li>
+Oracle:
+<a href="https://docs.oracle.com/javase/tutorial/essential/concurrency/guardmeth.html">The Java Concurrency Tutorials</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql

@@ -3,7 +3,7 @@
  * @description Using user input directly to control a thread's sleep time could lead to
  *              performance problems or even resource exhaustion.
  * @kind path-problem
- * @id java/thread-resource-abuse
+ * @id java/local-thread-resource-abuse
  * @problem.severity recommendation
  * @tags security
  *       external/cwe/cwe-400