contrib.nodejsscan.layer7_object_dos.layer7_object_dos

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

Layer7 Denial of Service. Looping over user controlled objects can result in DoS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: layer7_object_dos
    patterns:
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern-inside: |
              $OBJ = $REQ.body;
              ...
          - pattern-inside: |
              $OBJ = $REQ.body.$FOO;
              ...
      - pattern-inside: |
          for(...){...}
      - pattern: |
          $OBJ.length
    message: Layer7 Denial of Service. Looping over user controlled objects can
      result in DoS.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A06:2017 - Security Misconfiguration
      cwe: "CWE-400: Uncontrolled Resource Consumption"
      category: security
      technology:
        - node.js
        - express
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

layer7_object_dos.js

const express = require('express');
const router = express.Router()


router.post("/list-users", (req, res) => {
    var obj = req.body.users;
    var someArr = [];

    // Potential DoS if obj.length is large.
    // ruleid:layer7_object_dos
    for (var i = 0; i < obj.length; i++) {
        someArr.push(obj[i]);
    }

});


module.exports = router


app.post("/foo", (req, res) => {
    var obj = req.body;

    var ret = [];

    // Potential DoS if obj.length is large.
    // ruleid:layer7_object_dos
    for (var i = 0; i < obj.length; i++) {
        ret.push(obj[i]);
    }
});