contrib.nodejsscan.buffer_noassert.buffer_noassert
returntocorpAuthor
99
Download Count*
License
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
Run Locally
Run in CI
Defintion
rules:
- id: buffer_noassert
pattern-either:
- pattern: $OBJ.readUInt8(..., true)
- pattern: $OBJ.readUInt16LE(..., true)
- pattern: $OBJ.readUInt16BE(..., true)
- pattern: $OBJ.readUInt32LE(..., true)
- pattern: $OBJ.readUInt32BE(..., true)
- pattern: $OBJ.readInt8(..., true)
- pattern: $OBJ.readInt16LE(..., true)
- pattern: $OBJ.readInt16BE(..., true)
- pattern: $OBJ.readInt32LE(..., true)
- pattern: $OBJ.readInt32BE(..., true)
- pattern: $OBJ.readFloatLE(..., true)
- pattern: $OBJ.readFloatBE(..., true)
- pattern: $OBJ.readDoubleLE(..., true)
- pattern: $OBJ.readDoubleBE(..., true)
- pattern: $OBJ.writeUInt8(..., true)
- pattern: $OBJ.writeUInt16LE(..., true)
- pattern: $OBJ.writeUInt16BE(..., true)
- pattern: $OBJ.writeUInt32LE(..., true)
- pattern: $OBJ.writeUInt32BE(..., true)
- pattern: $OBJ.writeInt8(..., true)
- pattern: $OBJ.writeInt16LE(..., true)
- pattern: $OBJ.writeInt16BE(..., true)
- pattern: $OBJ.writeInt32LE(..., true)
- pattern: $OBJ.writeInt32BE(..., true)
- pattern: $OBJ.writeFloatLE(..., true)
- pattern: $OBJ.writeFloatBE(..., true)
- pattern: $OBJ.writeDoubleLE(..., true)
- pattern: $OBJ.writeDoubleBE(..., true)
severity: WARNING
languages:
- javascript
metadata:
owasp: A06:2017 - Security Misconfiguration
cwe: "CWE-119: Improper Restriction of Operations within the Bounds of a Memory
Buffer"
category: security
technology:
- node.js
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
message: Detected usage of noassert in Buffer API, which allows the offset the
be beyond the end of the buffer. This could result in writing or reading
beyond the end of the buffer.
Examples
buffer_noassert.js
// ruleid:buffer_noassert
a.readUInt8(0, true)
Short Link: https://sg.run/vz4n