Skip to content

Latest commit

 

History

History
87 lines (68 loc) · 5.27 KB

mitigations.md

File metadata and controls

87 lines (68 loc) · 5.27 KB

Mitigation Strategies Analysis for ljharb/qs

Mitigation Strategy: Strict Configuration (No Prototype Pollution)

Description:

  1. Locate all qs.parse() calls: Identify every instance where the qs.parse() function is used within the application's codebase.
  2. Explicitly set allowPrototypes: false: Ensure that every call to qs.parse() includes the option { allowPrototypes: false }. This prevents the parser from creating objects with properties inherited from the global Object prototype. Example: qs.parse(queryString, { allowPrototypes: false }).
  3. Consider plainObjects: true: Add the option { plainObjects: true } to every call to qs.parse(). This forces qs to always return plain objects, further reducing the risk of prototype pollution. Example: qs.parse(queryString, { allowPrototypes: false, plainObjects: true }).
  4. Centralize Parsing (Optional): If feasible, create a wrapper function around qs.parse() to enforce these settings consistently.

  • List of Threats Mitigated:

    • Prototype Pollution (Severity: High): Prevents attackers from injecting properties into the global Object prototype.
    • Unexpected Application Behavior (Severity: Medium): Reduces unexpected behavior caused by inherited properties.

  • Impact:

    • Prototype Pollution: Risk reduced significantly (close to elimination).
    • Unexpected Application Behavior: Risk reduced moderately.

  • Currently Implemented:

    • Example: Partially implemented. allowPrototypes: false is used in server/routes/api.js, but plainObjects: true is not consistently applied.

  • Missing Implementation:

    • Example: Missing in client/utils/urlParser.js and server/middleware/queryLogger.js. plainObjects: true is also missing in several locations.

Mitigation Strategy: Input Size and Depth Limits (via qs Options)

Description:

  1. Identify qs.parse() calls: Locate all instances of qs.parse().
  2. Set depth: Add the depth option with a reasonable value (e.g., 5-10). Example: qs.parse(queryString, { depth: 5 }).
  3. Set arrayLimit: Add the arrayLimit option (e.g., 100-200). Example: qs.parse(queryString, { arrayLimit: 100 }).
  4. Set parameterLimit: Add the parameterLimit option (e.g., 1000-2000). Example: qs.parse(queryString, { parameterLimit: 1000 }).
  5. Set parseArrays: Add the parseArrays option set to false. Example: qs.parse(queryString, { parseArrays: false }).

  • List of Threats Mitigated:

    • Denial of Service (DoS) (Severity: High): Prevents excessively large or deeply nested query strings from crashing the application.
    • Resource Exhaustion (Severity: Medium): Reduces the risk of the application running out of memory or CPU.

  • Impact:

    • Denial of Service: Risk reduced significantly.
    • Resource Exhaustion: Risk reduced moderately.

  • Currently Implemented:

    • Example: parameterLimit is set in server/routes/api.js, but depth, arrayLimit and parseArrays are not.

  • Missing Implementation:

    • Example: depth, arrayLimit and parseArrays are missing in all qs.parse() calls.

Mitigation Strategy: Custom Decoder Function (Using qs's decoder Option)

Description:

  1. Identify Critical Parameters: Determine which query string parameters are most sensitive.
  2. Implement a decoder Function: Create a custom decoding function.
  3. Custom Decoding Logic: Within the decoder function, implement custom logic to decode and validate the values of critical parameters.
  4. Example: 
    const parsed = qs.parse(queryString, {
    decoder: function (str, defaultDecoder, charset, type) {
        if (type === 'key') {
            return defaultDecoder(str, defaultDecoder, charset);
        } else if (str === 'secretToken') {
            if (!/^[a-zA-Z0-9]{32}$/.test(str)) {
                throw new Error("Invalid secret token");
            }
            return str;
        } else {
            return defaultDecoder(str, defaultDecoder, charset);
        }
    }
});

  • List of Threats Mitigated:

    • Unexpected Application Behavior (Severity: Medium): Provides control over how query string values are interpreted.
    • Type Coercion Vulnerabilities (Severity: Low-Medium): Allows for precise control over type conversions.
    • Injection Attacks (Severity: Medium-High): If used to sanitize input, can help prevent injection attacks (but this is not a primary defense).

  • Impact:

    • Unexpected Application Behavior: Risk reduced significantly.
    • Type Coercion Vulnerabilities: Risk reduced significantly.
    • Injection Attacks: Risk reduced moderately (relies on proper implementation).

  • Currently Implemented:

    • Example: Not implemented anywhere.

  • Missing Implementation:

    • Example: Missing entirely. Should be considered for critical parameters.