ajv configuration is vulnerable to DoS attacks JS-S1013
Security
Critical
Autofix
a03
sans top 25
owasp top 10
cwe-400
Setting the allErrors option in ajv to true leads to all errors being reported and allocated in memory without any limits.
This may pose a resource consumption risk if the data being validated is coming from an external entity or user input.
An attacker can deliberately try to perform validation on data that has been specifically constructed to introduce a high number of errors with long error messages. This can lead to an increase in resource consumption and disrupt your service, leading to a denial of service attack.
Not setting allErrors to true will make sure ajv reports only the first error raised during validation.
Bad Practice
import Ajv from 'ajv';
let ajv = new Ajv({ allErrors: true }); // `allErrors` has been set to true
ajv.addSchema(require('./json-schema'), 'schema');
app.get('/post/:id', (req, res) => {
ajv.validate('schema', req.body)
});
Recommended
import Ajv from 'ajv';
let ajv = new Ajv(); // By default `allErrors` is false
// or
ajv = new Ajv({ allErrors: false }); // `allErrors` has been set to false
ajv.addSchema(require('./json-schema'), 'schema');
app.get('/post/:id', (req, res) => {
ajv.validate('schema', req.body)
});