Skip to content

Latest commit

 

History

History
81 lines (62 loc) · 9.73 KB

mitigations.md

File metadata and controls

81 lines (62 loc) · 9.73 KB

Mitigation Strategies Analysis for nodejs/readable-stream

Mitigation Strategy: Backpressure Implementation and Resource Management with readable-stream

  • Description:

    1. Utilize pipe() for Backpressure: Employ the stream.pipe(destinationStream) method whenever possible to connect readable and writable streams. pipe() automatically manages backpressure by pausing the readable stream when the destination stream is not ready to accept more data and resuming it when it is.
    2. Handle writable.write() Return Value and drain Event: When writing to a writable stream using writable.write(chunk), always check the return value. If writable.write() returns false, it indicates that the stream's internal buffer is full. Stop writing and listen for the drain event on the writable stream. Only resume writing after the drain event is emitted, signaling that the buffer has cleared.
    3. Employ pause() and resume() for Manual Backpressure Control: In scenarios where pipe() is not suitable or finer control is needed, use readable.pause() to temporarily stop data flowing from a readable stream and readable.resume() to restart it. Implement logic in the consumer to call pause() when it's busy and resume() when it's ready for more data.
    4. Implement Stream Size Limits: For readable streams, especially those from external sources, implement logic to track the amount of data read. If a stream exceeds a predefined size limit, destroy the stream using stream.destroy() to prevent unbounded resource consumption.
    5. Set Timeouts for Stream Operations: Implement timeouts for operations involving readable and writable streams. For example, set a timeout for reading data from a readable stream or writing data to a writable stream. If a timeout occurs, destroy the stream to prevent indefinite operations.

    • Threats Mitigated:

      • Denial of Service (DoS) via Resource Exhaustion: High severity. Uncontrolled streams can consume excessive memory, CPU, or file descriptors due to lack of backpressure or stream limits.
      • Buffer Overflow: Medium severity. Without backpressure, stream buffers can overflow, potentially leading to crashes or unexpected behavior in stream processing logic.

    • Impact:

      • DoS via Resource Exhaustion: High risk reduction. Proper backpressure and stream limits using readable-stream APIs effectively prevent resource exhaustion from uncontrolled streams.
      • Buffer Overflow: High risk reduction. Correctly using pipe(), writable.write() return value, and pause/resume prevents buffer overflows within stream pipelines.

    • Currently Implemented:

      • pipe() is used extensively throughout the application for stream processing, providing basic backpressure handling.
      • Timeouts are implemented for HTTP requests involving streams in the http-client module, but these are more at the HTTP level, not specifically readable-stream timeouts.

    • Missing Implementation:

      • Explicit checks for writable.write() return value and drain event handling are missing in some stream processing modules, potentially leading to backpressure issues under heavy load when using custom writable streams.
      • Maximum stream size limits are not enforced for file uploads or API data streams processed using readable-stream, making the application vulnerable to DoS via large data streams.
      • readable-stream level timeouts for read/write operations are not consistently implemented, especially for long-running stream processes.

Mitigation Strategy: Error Handling in readable-stream Operations

  • Description:

    1. Attach error Event Listeners to Streams: For every readable and writable stream created or used in the application, attach an error event listener.
    2. Handle Stream Errors in Listeners: Within the error event listener function:
      • Log the Error: Log the error object and relevant context information (e.g., stream source, stream type) for debugging and monitoring. Ensure sensitive data is not logged.
      • Destroy the Stream: Call stream.destroy(err) to properly close the stream and release associated resources. Passing the error object to destroy() will emit an 'error' event on streams piped to this stream, propagating the error.
      • Clean Up Resources: Release any resources associated with the stream operation, such as temporary files or database connections, within the error handler.
      • Prevent Unhandled Exceptions: Ensure that stream errors are properly handled and do not lead to unhandled exceptions that could crash the application.

    • Threats Mitigated:

      • Operational Instability: Medium severity. Unhandled errors in readable-stream operations can lead to application crashes, resource leaks, and unpredictable behavior.
      • Resource Leaks: Medium severity. Without proper error handling and stream destruction, resources associated with streams might not be released in error scenarios.

    • Impact:

      • Operational Instability: High risk reduction. Robust error handling using readable-stream's error events prevents crashes and improves application stability when stream errors occur.
      • Resource Leaks: Medium risk reduction. Proper stream destruction in error handlers helps prevent resource leaks.

    • Currently Implemented:

      • Basic error listeners are attached to streams in some modules, logging errors to a central logging service.

    • Missing Implementation:

      • Consistent error handling is missing across all readable-stream operations. Some modules lack proper error event listeners or stream destruction in error cases.
      • Resource cleanup within readable-stream error handlers is not consistently implemented.
      • Error propagation through stream pipelines using stream.destroy(err) is not always utilized to ensure errors are handled at appropriate levels.

Mitigation Strategy: Secure Stream Construction and Usage with readable-stream

  • Description:

    1. Validate Stream Sources (in the context of stream creation): When creating readable streams from external or potentially untrusted sources (e.g., wrapping network sockets, user-provided data), validate the source data or connection parameters before creating the readable-stream. This is about validating the input to the stream constructor, not the stream data itself (which is covered in input validation).
    2. Principle of Least Privilege for Stream Operations (related to stream usage): Ensure that code that uses or processes readable-stream instances runs with the minimum necessary privileges. Avoid running stream processing logic with elevated privileges if not absolutely required.
    3. Timeout Mechanisms for Stream Operations (using readable-stream APIs): Implement timeouts directly within stream operations using readable-stream APIs or related timer mechanisms. For example, use setTimeout in conjunction with stream reading or writing to enforce timeouts. If a timeout occurs, destroy the stream using stream.destroy().
    4. Proper Stream Disposal with stream.destroy(): Explicitly call stream.destroy() on readable and writable streams when they are no longer needed, especially in error scenarios or when stream processing is complete. This ensures that underlying resources are released promptly and prevents resource leaks.

    • Threats Mitigated:

      • Denial of Service (DoS) via Slowloris-like attacks (related to stream timeouts): Medium severity. Timeouts on readable-stream operations can help mitigate scenarios where slow data transmission or stalled streams exhaust resources.
      • Privilege Escalation (related to stream processing privileges): Medium severity. Running stream processing with excessive privileges increases the potential impact of vulnerabilities in stream handling code.
      • Resource Leaks (related to stream disposal): Medium severity. Improper stream disposal can lead to resource leaks over time, degrading application performance and potentially causing crashes.

    • Impact:

      • DoS via Slowloris-like attacks: Medium risk reduction. readable-stream level timeouts help prevent resource exhaustion from slow or stalled streams.
      • Privilege Escalation: Medium risk reduction. Principle of least privilege limits the impact of vulnerabilities in stream processing code.
      • Resource Leaks: Medium risk reduction. Explicit stream.destroy() usage improves resource management and reduces the risk of leaks.

    • Currently Implemented:

      • Timeouts are implemented for HTTP requests, which indirectly involve streams, but not specifically using readable-stream timeout mechanisms.
      • Streams are generally closed after use, but explicit stream.destroy() is not consistently used.

    • Missing Implementation:

      • readable-stream level timeouts for read/write operations are not consistently implemented for all stream operations, especially for long-running stream processes.
      • Principle of least privilege is not fully enforced for all services using readable-stream.
      • Explicit stream.destroy() is not consistently used for secure stream disposal, increasing the risk of resource leaks in error scenarios and normal operation completion.