ajinabraham.njsscan.memory.buffer_noassert.buffer_noassert

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.

Run Locally

Run in CI

Defintion

rules:
  - id: buffer_noassert
    pattern-either:
      - pattern: $OBJ.readUInt8(..., true)
      - pattern: $OBJ.readUInt16LE(..., true)
      - pattern: $OBJ.readUInt16BE(..., true)
      - pattern: $OBJ.readUInt32LE(..., true)
      - pattern: $OBJ.readUInt32BE(..., true)
      - pattern: $OBJ.readInt8(..., true)
      - pattern: $OBJ.readInt16LE(..., true)
      - pattern: $OBJ.readInt16BE(..., true)
      - pattern: $OBJ.readInt32LE(..., true)
      - pattern: $OBJ.readInt32BE(..., true)
      - pattern: $OBJ.readFloatLE(..., true)
      - pattern: $OBJ.readFloatBE(..., true)
      - pattern: $OBJ.readDoubleLE(..., true)
      - pattern: $OBJ.readDoubleBE(..., true)
      - pattern: $OBJ.writeUInt8(..., true)
      - pattern: $OBJ.writeUInt16LE(..., true)
      - pattern: $OBJ.writeUInt16BE(..., true)
      - pattern: $OBJ.writeUInt32LE(..., true)
      - pattern: $OBJ.writeUInt32BE(..., true)
      - pattern: $OBJ.writeInt8(..., true)
      - pattern: $OBJ.writeInt16LE(..., true)
      - pattern: $OBJ.writeInt16BE(..., true)
      - pattern: $OBJ.writeInt32LE(..., true)
      - pattern: $OBJ.writeInt32BE(..., true)
      - pattern: $OBJ.writeFloatLE(..., true)
      - pattern: $OBJ.writeFloatBE(..., true)
      - pattern: $OBJ.writeDoubleLE(..., true)
      - pattern: $OBJ.writeDoubleBE(..., true)
    severity: WARNING
    languages:
      - javascript
    metadata:
      owasp-web: a6
      cwe: cwe-119
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other
    message: Detected usage of noassert in Buffer API, which allows the offset the
      be beyond the end of the buffer. This could result in writing or reading
      beyond the end of the buffer.