HIGH out of bounds writefeathersjs

Out Of Bounds Write in Feathersjs

Scan for out of bounds write in feathersjs

How Out Of Bounds Write Manifests in Feathersjs

Out Of Bounds Write (OOBW) in Feathersjs occurs when an application writes data beyond the intended boundaries of an array, buffer, or object structure. In Feathersjs, this vulnerability often manifests through improper handling of array indices in service methods, particularly when processing user-supplied data that determines array positions.

A common Feathersjs-specific pattern involves service methods that accept array parameters for bulk operations. Consider a service that processes batch updates where the client specifies which records to modify:

class BatchService extends Service {
  async updateMultiple(data) {
    const { ids, updates } = data;
    
    // Vulnerable: No bounds checking on ids array
    return Promise.all(ids.map((id, index) => {
      return this.patch(id, updates[index]);
    }));
  }
}

In this Feathersjs service, if a malicious client sends more updates than ids, the code will attempt to write to non-existent array positions. The updates[index] access can return undefined, causing unexpected behavior or data corruption.

Another Feathersjs-specific manifestation occurs with params.query handling in hooks. Feathersjs passes query parameters through the params.query object, and developers often use these parameters to determine array bounds:

const { hooks } = require('feathers-authentication-hooks');

module.exports = {
  before: {
    find: hooks.authenticate('jwt'),
    update: async (context) => {
      const { id, data } = context;
      const { fields } = context.params.query;
      
      // Vulnerable: No validation of fields array length
      if (fields.includes('permissions')) {
        const user = await context.app.service('users').get(id);
        user.permissions = data.permissions;
        return user;
      }
    }
  }
};

The fields array from params.query can be manipulated to trigger out-of-bounds access when combined with other array operations in the service logic.

Feathersjs-Specific Detection

Detecting Out Of Bounds Write vulnerabilities in Feathersjs requires both static code analysis and runtime scanning. middleBrick's black-box scanning approach is particularly effective for Feathersjs applications because it tests the actual API endpoints without requiring source code access.

When scanning a Feathersjs API with middleBrick, the scanner tests for OOBW by sending crafted requests that manipulate array parameters and query strings. For example, middleBrick will test:

  • Array parameters with mismatched lengths (more update objects than target IDs)
  • Query parameters that influence array indexing logic
  • Batch operations with boundary-case array sizes
  • Recursive data structures that could trigger stack overflows

middleBrick's scanner specifically identifies Feathersjs patterns by examining:

{
  "endpoint": "/api/messages",
  "method": "PATCH",
  "payload": {
    "ids": ["507f1f77bcf86cd799439011", "507f1f77bcf86cd799439012"],
    "updates": [{"text": "updated1"}, {"text": "updated2"}, {"text": "updated3"}]
  },
  "vulnerability": "Out Of Bounds Write",
  "severity": "high",
  "remediation": "Validate array lengths before processing batch operations"
}

The scanner also checks for Feathersjs-specific service patterns, such as hooks that modify context.result arrays or services that use fastJoin resolvers with array parameters.

For developers working with Feathersjs locally, static analysis tools can help identify potential OOBW issues:

const { ESLint } = require('eslint');

const eslint = new ESLint({
  overrideConfigFile: '.eslintrc.js'
});

// Check for patterns like: array[index] without bounds validation
const results = await eslint.lintFiles(['services/**/*.js']);

middleBrick's continuous monitoring feature (Pro plan) can automatically re-scan your Feathersjs API endpoints on a schedule, alerting you if new OOBW vulnerabilities are introduced in updates.

Feathersjs-Specific Remediation

Remediating Out Of Bounds Write vulnerabilities in Feathersjs requires a combination of input validation, bounds checking, and defensive programming patterns. The most effective approach is to validate array parameters before processing them in your service methods.

Here's a secure implementation of the batch update service:

const { BadRequest } = require('@feathersjs/errors');

class SecureBatchService extends Service {
  async updateMultiple(data) {
    const { ids, updates } = data;
    
    // Validate array lengths match
    if (!Array.isArray(ids) || !Array.isArray(updates) || ids.length !== updates.length) {
      throw new BadRequest('IDs and updates arrays must be the same length');
    }
    
    // Validate array bounds
    if (ids.length > 100) {
      throw new BadRequest('Maximum 100 items per batch request');
    }
    
    return Promise.all(ids.map((id, index) => {
      return this.patch(id, updates[index]);
    }));
  }
}

For query parameter validation in Feathersjs hooks, use the hooks.validate utility:

const { hooks } = require('feathers-authentication-hooks');
const { BadRequest } = require('@feathersjs/errors');

module.exports = {
  before: {
    find: hooks.authenticate('jwt'),
    update: [
      async (context) => {
        const { fields } = context.params.query;
        
        // Validate fields array
        if (fields && !Array.isArray(fields)) {
          throw new BadRequest('fields must be an array');
        }
        
        if (fields && fields.length > 10) {
          throw new BadRequest('Maximum 10 fields allowed');
        }
      },
      async (context) => {
        const { id, data } = context;
        const { fields } = context.params.query;
        
        if (fields && fields.includes('permissions')) {
          const user = await context.app.service('users').get(id);
          user.permissions = data.permissions;
          return user;
        }
      }
    ]
  }
};

For Feathersjs applications using TypeScript, leverage type safety to prevent OOBW:

interface BatchUpdate {
  ids: string[];
  updates: Partial<User>[];
}

class TypeSafeBatchService extends Service {
  async updateMultiple(data: BatchUpdate) {
    if (data.ids.length !== data.updates.length) {
      throw new BadRequest('Array lengths must match');
    }
    
    return Promise.all(data.ids.map((id, index) => {
      return this.patch(id, data.updates[index]);
    }));
  }
}

middleBrick's Pro plan includes continuous monitoring that can alert you if these security controls are bypassed or if new OOBW vulnerabilities are introduced in your Feathersjs codebase.

Scan for out of bounds write in feathersjs Free API security scan

Frequently Asked Questions

How does middleBrick detect Out Of Bounds Write vulnerabilities in Feathersjs APIs?
middleBrick uses black-box scanning to test Feathersjs endpoints by sending crafted requests with manipulated array parameters. It specifically tests for mismatched array lengths, excessive array sizes, and query parameters that influence array indexing logic. The scanner identifies Feathersjs patterns and reports vulnerabilities with severity levels and remediation guidance.
Can middleBrick scan my Feathersjs API if it's behind authentication?
middleBrick's standard scanning works on unauthenticated endpoints. For authenticated Feathersjs APIs, you can use the Pro plan's continuous monitoring feature, which can scan APIs with authentication tokens. Alternatively, you can temporarily disable authentication for specific endpoints during security testing, then re-enable it.

Related Pages

Out Of Bounds Write in Feathersjs on DigitaloceanExplore Out Of Bounds Write risks in Feathersjs on Digitalocean, with code fixes for buffer validation and streaming.Out Of Bounds Write in Feathersjs on AwsLearn how Out Of Bounds Write risks arise in FeathersJS with AWS and apply concrete validation fixes with code examples.Out Of Bounds Write in Feathersjs on AzureUnderstand Out Of Bounds Write risks in FeathersJS on Azure with concrete remediation code examples and Azure integratioOut Of Bounds Write in Feathersjs on CloudflareExplore Out Of Bounds Write in Feathersjs behind Cloudflare, understand how the combo exposes risk, and apply concrete cPci Dss: Out Of Bounds Write in FeathersjsExplore how Out Of Bounds Write vulnerabilities manifest in FeathersJS under PCI DSS, with concrete remediation code exaSoc2: Out Of Bounds Write in FeathersjsExplore Out Of Bounds Write risks in Feathersjs, understand SOC 2 implications, and apply concrete code fixes with serviIso 27001: Out Of Bounds Write in FeathersjsExplore Out Of Bounds Write risks in FeathersJS aligned with ISO 27001. Learn detection patterns and remediation with coCis: Out Of Bounds Write in FeathersjsAnalyze Cis in Out Of Bounds Write with Feathersjs, understand the vulnerability mechanics, and apply concrete code fixeOut Of Bounds Write in Feathersjs with Jwt TokensUnderstand how Out Of Bounds Write vulnerabilities arise in FeathersJS with JWT tokens and apply concrete code fixes to Out Of Bounds Write in Feathersjs with Api KeysExplore Out Of Bounds Write risks in FeathersJS with API Keys, including validation pitfalls and secure coding patterns.Out Of Bounds Write in Feathersjs with Hmac SignaturesExplore Out Of Bounds Write risks in FeathersJS with Hmac Signatures, understand the interaction, and apply concrete codOut Of Bounds Write in Feathersjs with Basic AuthExplore Out Of Bounds Write risks in FeathersJS with Basic Auth, understand how authentication and input validation inte