Out Of Bounds Read in Feathersjs
How Out Of Bounds Read Manifests in Feathersjs
Out Of Bounds Read vulnerabilities in Feathersjs applications typically occur when code attempts to access array elements, object properties, or buffer data beyond their allocated boundaries. In Feathersjs, this often manifests through service methods that process user-supplied pagination parameters, filter conditions, or data transformations without proper bounds checking.
A common Feathersjs-specific pattern involves the skip and limit parameters in service queries. Consider this vulnerable service method:
class MessagesService extends Service {
async find(params) {
const { skip = 0, limit = 10 } = params.query;
const messages = await this._super(params);
// Vulnerable: no bounds checking on skip/limit
return messages.slice(skip, skip + limit);
}
}This code allows an attacker to specify extremely large skip values, potentially causing the application to read beyond the available message array. If the underlying data store returns fewer items than expected, slice may attempt to access memory beyond the array bounds.
Another Feathersjs-specific scenario involves $sort and $select parameters in MongoDB-like queries. When combined with array fields, improper validation can lead to out of bounds reads:
const service = new Service({
methods: ['find']
});
service.find = async (params) => {
const { query } = params;
const { $select, $sort } = query;
// Vulnerable: $select array indices not validated
const user = await this.app.service('users').get(params.user.id);
return $select.map(field => user[field]); // May access undefined properties
};Feathersjs hooks also present unique attack surfaces. A before hook that processes array data without length validation can trigger out of bounds reads:
const checkBoundsHook = async (context) => {
const { data } = context;
const items = data.items || [];
// Vulnerable: assumes items array has at least 5 elements
const firstFive = items.slice(0, 5);
const summary = firstFive.reduce((sum, item) => sum + item.value, 0);
context.result = { summary };
};When items contains fewer than 5 elements, the reduce operation may behave unexpectedly, especially if combined with other data processing steps that assume specific array lengths.
Feathersjs-Specific Detection
Detecting Out Of Bounds Read vulnerabilities in Feathersjs requires examining both the service layer and the data access patterns. Static analysis tools can identify risky code patterns, but runtime scanning provides more comprehensive coverage.
middleBrick's Feathersjs-specific detection capabilities include:
- Query parameter validation scanning for
skip,limit, and pagination parameters - Array access pattern analysis in service methods and hooks
- Database query boundary checking for MongoDB-like operators
- Hook chain analysis for data transformation vulnerabilities
- LLM endpoint security testing for AI-powered Feathersjs applications
To scan a Feathersjs API with middleBrick:
npm install -g middlebrick
middlebrick scan https://api.example.com/messages
The scanner automatically tests for out of bounds conditions by:
- Sending boundary-testing requests with extreme pagination values
- Analyzing error responses for array index out of bounds indicators
- Testing array field access patterns with malformed queries
- Checking hook execution paths for unvalidated array operations
middleBrick specifically identifies Feathersjs service patterns that may lead to out of bounds reads:
{
"findings": [
{
"category": "Input Validation",
"severity": "medium",
"feathersjs_pattern": "pagination",
"description": "Service method processes unvalidated skip/limit parameters",
"location": "/api/messages",
"remediation": "Add bounds checking for pagination parameters"
}
]
}For comprehensive coverage, integrate middleBrick into your Feathersjs development workflow:
# .github/workflows/security.yml
name: API Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run middleBrick Scan
run: middlebrick scan ${{ secrets.API_URL }} --format=json
- name: Fail on high severity findings
run: |
if [ $(middlebrick report | jq '.findings | map(select(.severity == "high")) | length') -gt 0 ]; then
exit 1
fiFeathersjs-Specific Remediation
Remediating Out Of Bounds Read vulnerabilities in Feathersjs requires implementing proper bounds checking and validation at multiple layers. Here are Feathersjs-specific remediation strategies:
1. Input Validation for Pagination Parameters
const validatePagination = (query) => {
const { skip = 0, limit = 10 } = query;
// Bounds checking
const maxLimit = 100;
const maxSkip = 10000;
if (skip < 0 || skip > maxSkip) {
throw new errors.BadRequest('Invalid skip parameter');
}
if (limit < 1 || limit > maxLimit) {
throw new errors.BadRequest('Invalid limit parameter');
}
return { skip: Math.min(skip, maxSkip), limit: Math.min(limit, maxLimit) };
};
class MessagesService extends Service {
async find(params) {
const validated = validatePagination(params.query);
const options = { ...params, query: { ...params.query, ...validated } };
return this._super(options);
}
}2. Safe Array Access in Hooks
const safeArrayHook = async (context) => {
const { data } = context;
const items = data.items || [];
// Safe array processing with bounds checking
const safeItems = items.slice(0, Math.min(5, items.length));
const summary = safeItems.reduce((sum, item) => {
return sum + (item.value || 0);
}, 0);
context.result = { summary };
return context;
};
module.exports = {
before: {
all: [safeArrayHook]
}
};3. MongoDB Query Validation
const validateMongoQuery = (query) => {
const { $select, $sort } = query || {};
if ($select) {
if (!Array.isArray($select)) {
throw new errors.BadRequest('$select must be an array');
}
// Validate field names exist in schema
const validFields = ['title', 'content', 'author', 'createdAt'];
const invalidFields = $select.filter(field => !validFields.includes(field));
if (invalidFields.length > 0) {
throw new errors.BadRequest(`Invalid fields: ${invalidFields.join(', ')}`);
}
}
if ($sort) {
const validSortKeys = ['title', 'createdAt', 'author'];
const invalidKeys = Object.keys($sort).filter(key => !validSortKeys.includes(key));
if (invalidKeys.length > 0) {
throw new errors.BadRequest(`Invalid sort keys: ${invalidKeys.join(', ')}`);
}
}
return query;
};
class ArticlesService extends Service {
async find(params) {
const validatedQuery = validateMongoQuery(params.query);
return this._super({ ...params, query: validatedQuery });
}
}4. Comprehensive Service-Level Validation
const boundsSafeService = class BoundsSafeService extends Service {
constructor(options) {
super(options);
this.maxLimit = 100;
this.maxSkip = 10000;
}
validatePagination(query) {
const { skip = 0, limit = 10 } = query;
if (typeof skip !== 'number' || skip < 0 || skip > this.maxSkip) {
throw new errors.BadRequest('Invalid skip value');
}
if (typeof limit !== 'number' || limit < 1 || limit > this.maxLimit) {
throw new errors.BadRequest('Invalid limit value');
}
return { skip, limit };
}
async find(params) {
const validated = this.validatePagination(params.query);
const options = { ...params, query: { ...params.query, ...validated } };
return super.find(options);
}
async get(id, params) {
// Validate ID format before database access
if (!/^[a-f0-9]{24}$/.test(id)) {
throw new errors.NotFound('Invalid ID format');
}
return super.get(id, params);
}
};
module.exports = boundsSafeService;Frequently Asked Questions
How does middleBrick detect Out Of Bounds Read vulnerabilities in Feathersjs APIs?
Can middleBrick scan my Feathersjs API during development?
middlebrick scan http://localhost:3030, integrate it into your CI/CD pipeline using the GitHub Action to automatically scan staging APIs before deployment, or use the MCP Server to scan APIs directly from your IDE. The free tier includes 3 scans per month, making it easy to test during development.