javascript.ajv.security.audit.ajv-allerrors-true.ajv-allerrors-true

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

By setting allErrors: true in Ajv library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use allErrors: true in production.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: ajv-allerrors-true
    message: "By setting `allErrors: true` in `Ajv` library, all error objects will
      be allocated without limit. This allows the attacker to produce a huge
      number of errors which can lead to denial of service. Do not use
      `allErrors: true` in production."
    metadata:
      cwe:
        - "CWE-400: Uncontrolled Resource Consumption"
      category: security
      technology:
        - ajv
      references:
        - https://ajv.js.org/options.html#allerrors
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Denial-of-Service (DoS)
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern-either:
      - pattern: |
          new Ajv({...,allErrors: true,...},...)
      - patterns:
          - pattern: |
              new Ajv($SETTINGS,...)
          - pattern-inside: |
              $SETTINGS = {...,allErrors: true,...}
              ...

Examples

ajv-allerrors-true.js

import express from 'express';
import Ajv from 'ajv';

function test1() {
    const settings = { allErrors: true, smth: 'else' }
    // ruleid: ajv-allerrors-true
    const ajv1 = new Ajv(settings);
    return ajv1
}

function test2() {
    // ruleid: ajv-allerrors-true
    var ajv = new Ajv({ allErrors: true, smth: 'else' });
    ajv.addSchema(schema, 'input');
}


function test3() {
    // ruleid: ajv-allerrors-true
    var ajv = new Ajv({  smth: 'else', allErrors: true });
    ajv.addSchema(schema, 'input');
}

function test4() {
    // ruleid: ajv-allerrors-true
    var ajv = new Ajv({  smth: 'else', smth: 'else', allErrors: true, smth: 'else' });
    ajv.addSchema(schema, 'input');
}


function okTest1() {
    // ok: ajv-allerrors-true
    let ajv = new Ajv({ allErrors: process.env.DEBUG });
    ajv.addSchema(schema, 'input');
}

function okTest2() {
    // ok: ajv-allerrors-true
    var ajv = new Ajv({  smth: 'else', allErrors: false });
    ajv.addSchema(schema, 'input');
}