Out Of Bounds Read in Adonisjs with Cockroachdb
Out Of Bounds Read in Adonisjs with Cockroachdb — how this specific combination creates or exposes the vulnerability
An Out Of Bounds Read occurs when an application reads memory beyond the intended allocation. In the Adonisjs + Cockroachdb context, this typically arises from unsafe data handling between the database driver/ORM and application logic, where untrusted input influences offsets or lengths used during query result processing.
Adonisjs relies on its ORM (Lucid) to interact with Cockroachdb. If developer code constructs queries using unchecked user input for pagination, array slicing, or buffer calculations—such as offset and limit parameters derived directly from request query strings—the ORM may generate SQL that returns more rows than expected. During result hydration, Node.js buffers or JavaScript TypedArrays might be used to hold row data; if length values are not validated, reads can extend past the allocated buffer boundary.
Cockroachdb’s wire protocol and result streaming can exacerbate this when large rows or unexpected column counts are returned. For example, an unvalidated page parameter can cause the application to request extreme offsets, shifting the result window and potentially exposing memory contents in subsequent reads. In Adonisjs, this often surfaces in controller actions that manually compute offsets without sanitizing integer inputs or bounds checking array accesses after fetching rows.
Consider an endpoint that fetches a user’s activity log:
const { request } = useRequest()
const page = request.qs().page || 1
const limit = request.qs().limit || 50
const logs = await ActivityLog.query()
.where('user_id', userId)
.offset((page - 1) * limit)
.limit(limit)
.fetch()
If page or limit are not strictly validated as positive integers within safe ranges, the computed offset may wrap or exceed internal buffer sizes. Cockroachdb will still return rows based on the SQL offset/limit, but the Adonisjs layer might misinterpret row counts or column metadata, leading to incorrect buffer length assumptions during row deserialization—an Out Of Bounds Read vector.
Another scenario involves dynamic column selection. If an endpoint allows clients to specify which columns to return via a query parameter without strict allowlisting, an attacker might request columns that do not exist or trigger unexpected type coercion. Cockroachdb returns result metadata that Adonisjs must map to models; if field indices are used directly to access row buffers without verifying column count, an index derived from malicious input can point outside the allocated memory region.
Real-world exploitation relies on chaining unchecked input with Cockroachdb’s behavior: it does not inherently prevent extreme offsets and will stream results as requested. The risk in Adonisjs is not in Cockroachdb itself but in how the framework handles result sets—particularly when using low-level access patterns or custom row mappers that assume bounded input. This combination turns typical pagination or filtering features into potential read primitives over adjacent memory.
Cockroachdb-Specific Remediation in Adonisjs — concrete code fixes
Remediation focuses on input validation, safe pagination patterns, and defensive handling of query results in Adonisjs when communicating with Cockroachdb.
First, enforce strict validation for pagination parameters using Adonisjs schema validation:
import { schema } from '@ioc:Adonis/Core/Validator'
const paginationSchema = schema.create({
page: schema.number.optional([rules.positive(), rules.max(10000)]),
limit: schema.number.optional([rules.positive(), rules.max(1000)])
})
export default class ActivityController {
public async index({ request, auth }) {
const payload = await request.validate({ schema: paginationSchema })
const page = payload.page || 1
const limit = payload.limit || 50
const logs = await ActivityLog.query()
.where('user_id', auth.user.id)
.offset((page - 1) * limit)
.limit(limit)
.fetch()
return logs
}
}
Second, avoid raw offset/limit abuse by using cursor-based pagination where feasible. With Cockroachdb, keyset pagination is more stable and avoids extreme offsets:
const lastId = request.qs().cursor || null
const logs = await ActivityLog.query()
.where('user_id', auth.user.id)
.if(lastId, (query) => query.where('id', '>', lastId))
.orderBy('id', 'asc')
.limit(limit + 1) // fetch one extra to detect more pages
.fetch()
const hasMore = logs.rows.length > limit
const data = hasMore ? logs.rows.slice(0, limit) : logs.rows
Third, when dynamic column selection is required, explicitly whitelist allowed columns and map them to known model attributes instead of relying on positional indices:
const allowedColumns = ['id', 'action', 'created_at']
const requestedColumns = request.qs().columns
? request.qs().columns.split(',').filter(col => allowedColumns.includes(col.trim()))
: allowedColumns
const logs = await ActivityLog.query()
.where('user_id', auth.user.id)
.select(...requestedColumns)
.limit(limit)
.fetch()
// Access by property name, not index
logs.rows.forEach(row => {
const action = row.action // safe property access
})
Finally, ensure that any manual buffer or array handling—such as when implementing custom row mappers or streaming parsers—performs explicit length checks before reading. In Node.js, prefer high-level ORM methods over direct buffer manipulation when working with Cockroachdb result sets through Adonisjs.