JavaScript

JavaScript

By DeepSource

ajv configuration is vulnerable to DoS attacks JS-S1013

Security
Autofix

Setting the allErrors option in ajv to true leads to all errors being reported and allocated in memory without any limits. This may pose a resource consumption risk if the data being validated is coming from an external entity or user input.

An attacker can deliberately try to perform validation on data that has been specifically constructed to introduce a high number of errors with long error messages. This can lead to an increase in resource consumption and disrupt your service, leading to a denial of service attack.

Not setting allErrors to true will make sure ajv reports only the first error raised during validation.

Bad Practice

import Ajv from 'ajv';
let ajv = new Ajv({ allErrors: true }); // `allErrors` has been set to true
ajv.addSchema(require('./json-schema'), 'schema');

app.get('/post/:id', (req, res) => {
    ajv.validate('schema', req.body)
});

Recommended

import Ajv from 'ajv';

let ajv = new Ajv(); // By default `allErrors` is false 
// or
ajv = new Ajv({ allErrors: false }); // `allErrors` has been set to false

ajv.addSchema(require('./json-schema'), 'schema');

app.get('/post/:id', (req, res) => {
    ajv.validate('schema', req.body)
});

References