• Home
• org.sonarsource.javascript
• javascript-checks
• 10.14.0.26080
• source code
• S5693.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S5693.html Maven / Gradle / Ivy

Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in
order to prevent DoS attacks.
Ask Yourself Whether

  
 size limits are not defined for the different resources of the web application. 
  
 the web application is not protected by rate limiting features. 
  
 the web application infrastructure has limited resources. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices

  
 For most of the features of an application, it is recommended to limit the size of requests to:
    

      
 lower or equal to 8mb for file uploads. 
      
 lower or equal to 2mb for other requests. 
    
  

It is recommended to customize the rule with the limit values that correspond to the web application.
Sensitive Code Example
formidable file upload module:
const form = new Formidable();
form.maxFileSize = 10000000; // Sensitive: 10MB is more than the recommended limit of 8MB

const formDefault = new Formidable(); // Sensitive, the default value is 200MB

multer (Express.js middleware) file upload module:
let diskUpload = multer({
  storage: diskStorage,
  limits: {
    fileSize: 10000000; // Sensitive: 10MB is more than the recommended limit of 8MB
  }
});

let diskUploadUnlimited = multer({ // Sensitive: the default value is no limit
  storage: diskStorage,
});

body-parser module:
// 4MB is more than the recommended limit of 2MB for non-file-upload requests
let jsonParser = bodyParser.json({ limit: "4mb" }); // Sensitive
let urlencodedParser = bodyParser.urlencoded({ extended: false, limit: "4mb" }); // Sensitive

Compliant Solution
formidable file upload module:
const form = new Formidable();
form.maxFileSize = 8000000; // Compliant: 8MB

multer (Express.js middleware) file upload module:
let diskUpload = multer({
  storage: diskStorage,
  limits: {
     fileSize: 8000000 // Compliant: 8MB
  }
});

body-parser module:
let jsonParser = bodyParser.json(); // Compliant, when the limit is not defined, the default value is set to 100kb
let urlencodedParser = bodyParser.urlencoded({ extended: false, limit: "2mb" }); // Compliant

See

  
 OWASP - Top 10 2021 Category A5 - Security Misconfiguration 
  
 Owasp Cheat Sheet - Owasp Denial of Service
  Cheat Sheet 
  
 OWASP - Top 10 2017 Category A6 - Security
  Misconfiguration 
  
 CWE - CWE-770 - Allocation of Resources Without Limits or Throttling 
  
 CWE - CWE-400 - Uncontrolled Resource Consumption