Rule Definition
The software has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.
This issue can make the software perform more slowly. If an attacker can influence the number of iterations in the loop, then this performance problem might allow a denial of service by consuming more platform resources than intended.
Remediation
Ensure you only have one routing handler per path.
Violation Code Sample
// multiple handler for the same path /foo
import { Express } from '../../src/express';
var app = new Express()
app.get('/foo', function (req, res) {
res.send('hi');
});
// add a second foo route handler
app.get('/foo', function (req, res) {
res.send('hi2');
});
// call in a loop for the same path /foo
for (i = 0; i < paths.length; i++) {
app.get('/foo', function (req, res) {
res.send('hi ' + paths[i]);
});
}
console.log('stack', app._router.stack);
app.listen(3000);
Fixed Code Sample
// multiple handler for the same path /foo
import { Express } from '../../src/express';
var app = new Express()
app.get('/foo', function (req, res) {
res.send('hi');
});
// add a second foo route handler
app.get('/foo2', function (req, res) {
res.send('hi2');
});
// call in a loop for different paths
for (i = 0; i < paths.length; i++) {
app.get('/foo'+paths[i], function (req, res) {
res.send('hi ' + paths[i]);
});
}
console.log('stack', app._router.stack);
app.listen(3000);
Reference
CISQ Recommendation: ASCPEM-PRF-08
http://techblog.netflix.com/2014/11/nodejs-in-flames.html
Related Technologies
Technical Criterion
CWE-1050 - Excessive Platform Resource Consumption within a Loop
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.