javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert
Community Favorite
semgrep
Author
32,881
Download Count*
License
Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
Run Locally
Run in CI
Defintion
rules:
- id: detect-buffer-noassert
message: Detected usage of noassert in Buffer API, which allows the offset the
be beyond the end of the buffer. This could result in writing or reading
beyond the end of the buffer.
metadata:
cwe:
- "CWE-119: Improper Restriction of Operations within the Bounds of a
Memory Buffer"
source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js
category: security
technology:
- javascript
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
references:
- https://cwe.mitre.org/data/definitions/119.html
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Memory Issues
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern: $OBJ.$API(..., true)
- metavariable-regex:
metavariable: $API
regex: (read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE))
Examples
detect-buffer-noassert.js
// ok:detect-buffer-noassert
a.readUInt8(0)
// ok:detect-buffer-noassert
a.readUInt8(0, false)
// ruleid:detect-buffer-noassert
a.readUInt8(0, true)
// ruleid:detect-buffer-noassert
a.writeFloatLE(0, true)
Short Link: https://sg.run/qxpO