ajv
configuration is vulnerable to DoS attacks JS-S1013Setting the allErrors
option in ajv
to true
leads to all errors being reported and allocated in memory without any limits.
This may pose a resource consumption risk if the data being validated is coming from an external entity or user input.
An attacker can deliberately try to perform validation on data that has been specifically constructed to introduce a high number of errors with long error messages. This can lead to an increase in resource consumption and disrupt your service, leading to a denial of service attack.
Not setting allErrors
to true will make sure ajv
reports only the first error raised during validation.
import Ajv from 'ajv';
let ajv = new Ajv({ allErrors: true }); // `allErrors` has been set to true
ajv.addSchema(require('./json-schema'), 'schema');
app.get('/post/:id', (req, res) => {
ajv.validate('schema', req.body)
});
import Ajv from 'ajv';
let ajv = new Ajv(); // By default `allErrors` is false
// or
ajv = new Ajv({ allErrors: false }); // `allErrors` has been set to false
ajv.addSchema(require('./json-schema'), 'schema');
app.get('/post/:id', (req, res) => {
ajv.validate('schema', req.body)
});