Integer Overflow in Feathersjs with Dynamodb

An integer overflow in a Feathersjs service that uses Dynamodb can occur when user-supplied numeric input is used to calculate values such as array sizes, pagination limits, or resource identifiers before being passed to a DynamoDB expression. JavaScript numbers are IEEE-754 double-precision floating-point values; arithmetic that exceeds Number.MAX_SAFE_INTEGER (9,007,199,254,740,991) can lose precision or wrap in unexpected ways. If such a value is used to build a DynamoDB KeyConditionExpression or a numeric attribute value without validation, it may produce an invalid key, bypass intended access controls, or trigger unexpected behavior in downstream logic.

Consider a Feathersjs service that accepts a numeric quantity and a basePrice to compute a total before storing an order in DynamoDB:

// Risky: unchecked user input used in arithmetic
app.service('orders').create({
  quantity: req.body.quantity,  // user-controlled
  basePrice: req.body.basePrice,
  total: req.body.quantity * req.body.basePrice
});

If quantity is large enough, the multiplication can overflow, producing a small or zero total that bypasses price validation. When this value is passed to DynamoDB, the stored record may misrepresent the financial terms. Moreover, if the overflowed integer is used to construct pagination tokens or limit/offset parameters, an attacker can navigate beyond intended result sets or trigger errors that expose stack traces or internal field names.

Dynamodb-specific exposure arises when expressions rely on numeric comparisons that assume safe integer ranges. For example, a condition like userId = :uid AND amount <= :max may behave incorrectly if :max wraps to a negative value due to overflow, potentially returning unintended items or causing a query to fail in ways that reveal schema details. The combination of Feathersjs’s flexible service hooks and DynamoDB’s strongly-typed attribute system means unchecked numeric inputs can propagate into key conditions, filter expressions, or update operations, increasing the risk of authorization bypass or data exposure.

To mitigate, treat all numeric input as untrusted, validate ranges before arithmetic, and avoid using raw user values in DynamoDB key expressions. Use explicit BigInt handling or server-side computation where large integers are required, and enforce schema validation at the service layer to ensure values remain within safe bounds before they reach DynamoDB.

Apply input validation and safe arithmetic in Feathersjs hooks before values are used in DynamoDB expressions. Use Joi or another schema validator to enforce integer bounds and reject values that could overflow. When arithmetic is necessary, perform operations using BigInt or server-side utilities rather than raw user input.

Example: validating and computing safely in a Feathersjs before hook:

const { Joi } = require('feathers-hooks-common');

app.service('orders').hooks({
  before: {
    create: [
      Joi.validate({
        quantity: Joi.number().integer().min(1).max(10000).required(),
        basePrice: Joi.number().positive().required()
      }),
      (context) => {
        // Use BigInt to avoid overflow
        const quantity = BigInt(context.data.quantity);
        const basePrice = BigInt(context.data.basePrice);
        context.data.total = Number(quantity * basePrice); // ensure result fits Number if needed
        return context;
      }
    ]
  }
});

When building DynamoDB expressions, prefer server-computed values and avoid embedding raw user integers in key conditions. For example, use a fixed partition key design and compute safe sort keys on the server:

const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();

app.service('orders').hooks({
  before: {
    create: async (context) => {
      const userId = context.params.user.id; // authenticated id from auth service
      const quantity = Number(context.data.quantity);
      const basePrice = Number(context.data.basePrice);
      const total = quantity * basePrice;

      const params = {
        TableName: 'orders',
        Item: {
          userId: userId,            // partition key
          orderId: context.data.orderId || uuidv4(),
          quantity: quantity,
          basePrice: basePrice,
          total: total,
          createdAt: new Date().toISOString()
        }
      };
      await dynamodb.put(params).promise();
      return context;
    }
  }
});

For queries that use numeric conditions, ensure the values are bounded and originate from server-side logic rather than direct user input. If you must filter by a numeric attribute, validate and sanitize the filter values:

app.service('orders').hooks({
  before: {
    find: (context) => {
      const maxTotal = Number(context.params.query.maxTotal);
      if (!Number.isFinite(maxTotal) || maxTotal < 0 || maxTotal > 1e12) {
        throw new Error('Invalid range for maxTotal');
      }
      // Use ExpressionAttributeValues to avoid injection and ensure type safety
      context.params.query.$limit = 100;
      context.params.dynamodb = {
        ExpressionAttributeValues: {
          ':maxTotal': { N: maxTotal.toString() }
        },
        FilterExpression: 'total <= :maxTotal'
      };
      return context;
    }
  }
});

These patterns reduce the risk of integer overflow by constraining input ranges, using safe numeric representations, and keeping arithmetic on the server. Combined with runtime scanning that checks for authentication, data exposure, and input validation issues, they help maintain integrity when Feathersjs services interact with DynamoDB.