ocaml.lang.security.hashtable-dos.ocamllint-hashtable-dos
semgrep
Author
unknown
Download Count*
License
Creating a Hashtbl without the optional random number parameter makes it prone to DoS attacks when attackers are able to fill the table with malicious content. Hashtbl.randomize or the R flag in the OCAMLRUNPARAM are other ways to randomize it.
Run Locally
Run in CI
Defintion
rules:
- id: ocamllint-hashtable-dos
patterns:
- pattern: Hashtbl.create $Y
- pattern-not: Hashtbl.create $Y ~random:true
message: Creating a Hashtbl without the optional random number parameter makes
it prone to DoS attacks when attackers are able to fill the table with
malicious content. Hashtbl.randomize or the R flag in the OCAMLRUNPARAM
are other ways to randomize it.
languages:
- ocaml
severity: WARNING
metadata:
category: security
references:
- https://v2.ocaml.org/api/Hashtbl.html
technology:
- ocaml
cwe: "CWE-399: Resource Management Errors (4.12)"
confidence: LOW
likelihood: LOW
impact: LOW
subcategory:
- audit
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
hashtable-dos.ml
(* ruleid:ocamllint-hashtable-dos *)
let h = Hashtbl.create 16 in
for i = 1 to 1000 do Hashtbl.add h i (i * 2) done;
Printf.printf "%i elements\n" (Hashtbl.length h);
let j = Hashtbl.create 16 ~random:true in
for i = 1 to 1000 do Hashtbl.add j i (i * 2) done;
Printf.printf "%i elements\n" (Hashtbl.length j);
Short Link: https://sg.run/OrPrk