reintroduce the reverted qhelp

2026-04-28 10:15:14 +02:00 · 2022-04-12 16:33:06 +02:00
parent ebf9ba7250
commit d64df30724
5 changed files with 106 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-770/ResourceExhaustion.qhelp
+++ b/javascript/ql/src/Security/CWE-770/ResourceExhaustion.qhelp
@@ -33,8 +33,60 @@

 		<p>

-			The following example lets a user choose a delay after
-			which a function is executed:
+		<p>
+
+			The following example allocates a buffer with a user-controlled
+			size.
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_buffer.js" />
+
+		<p>
+
+			This is problematic since an attacker can choose a size
+			that makes the application run out of memory. Even worse, in older
+			versions of Node.js, this could leak confidential memory.
+
+			To prevent such attacks, limit the buffer size:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_buffer_fixed.js" />
+
+	</example>
+
+	<example>
+
+		<p>
+
+			As another example, consider an application that allocates an
+			array with a user-controlled size, and then fills it with values:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_array.js" />
+
+		<p>
+			The allocation of the array itself is not problematic since arrays are
+			allocated sparsely, but the subsequent filling of the array will take
+			a long time, causing the application to be unresponsive, or even run
+			out of memory.
+
+			Again, a limit on the size will prevent the attack:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_array_fixed.js" />
+
+	</example>
+
+	<example>
+
+		<p>
+
+			Finally, the following example lets a user choose a delay after
+            which a function is executed:

 		</p>

--- a/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array.js
+++ b/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array.js
@@ -0,0 +1,10 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	let dogs = new Array(size).fill(x => "dog"); // BAD
+
+	// ... use the dog
+});
--- a/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array_fixed.js
+++ b/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array_fixed.js
@@ -0,0 +1,16 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	if (size > 1024) {
+		res.statusCode = 400;
+		res.end("Bad request.");
+		return;
+	}
+
+	let dogs = new Array(size).fill(x => "dog"); // GOOD
+
+	// ... use the dogs
+});
--- a/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_buffer.js
+++ b/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_buffer.js
@@ -0,0 +1,10 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	let buffer = Buffer.alloc(size); // BAD
+
+	// ... use the buffer
+});
--- a/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_buffer_fixed.js
+++ b/javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_buffer_fixed.js
@@ -0,0 +1,16 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	if (size > 1024) {
+		res.statusCode = 400;
+		res.end("Bad request.");
+		return;
+	}
+
+	let buffer = Buffer.alloc(size); // GOOD
+
+	// ... use the buffer
+});