Out Of Bounds Write in Feathersjs with Hmac Signatures

An Out Of Bounds Write occurs when application logic allows data to be written outside the intended memory boundaries, often leading to memory corruption. In FeathersJS, this typically arises when service methods mutate or copy payload data into fixed-size buffers without proper length validation. When Hmac Signatures are used for request authentication, the signature is usually computed over the raw payload before routing to service handlers. If the framework or service code trusts the signature as proof of integrity but does not independently validate the payload size or structure, an attacker can supply a small, validly signed payload that triggers oversized internal buffers during processing.

Consider a FeathersJS service that accepts a JSON object with a fixed-length field, such as a 32-byte identifier. An attacker can craft a payload where that field contains an oversized string. The Hmac Signature, computed over this malicious payload, will verify successfully if the server uses the shared secret correctly. However, when FeathersJS or a plugin deserializes the payload and copies the field into a fixed-length buffer, the copy can overflow adjacent memory. Because the signature validated, the request bypasses any size-based guards that might otherwise reject the input. This specific combination—trust in Hmac Signatures plus unchecked user-controlled buffer sizes—exposes an Out Of Bounds Write path.

Additionally, if the FeathersJS application dynamically builds buffers based on values in the signed payload (e.g., allocating a buffer sized by a field in the JSON), an attacker can manipulate that field within the signed request to request an unreasonably large allocation. The Hmac Signature ensures the request appears legitimate, but the runtime allocation can exceed actual memory limits, causing writes to spill into unintended regions. This pattern is common in performance-sensitive services that pre-allocate buffers to avoid runtime overhead, inadvertently turning a valid signature into a mechanism that amplifies the impact of malformed input.

Real-world examples align with common OWASP API Top 10 categories such as Improper Validation of Data with an Extended Warranty (OWASP API10:2023) and can be associated with CWE-787. Since FeathersJS encourages a service-oriented architecture where payloads are passed between hooks and service methods, the risk is exacerbated if hooks do not sanitize or bound incoming data after signature verification. Unlike higher-level frameworks that enforce strict schema validation, FeathersJS leaves it to the developer to ensure that each service explicitly constrains the size and shape of accepted fields, which is especially important when Hmac Signatures are used to provide integrity but not input correctness.

In practice, scanning a FeathersJS endpoint with Hmac Signatures using middleBrick can surface this class of issue by testing unauthenticated attack surfaces and validating input handling. middleBrick runs 12 security checks in parallel, including Input Validation and Property Authorization, which can highlight mismatches between signed payloads and expected data structures. Its OpenAPI/Swagger spec analysis resolves $ref references and cross-references definitions with runtime findings, helping identify where buffer-size constraints are missing or underspecified. While middleBrick provides prioritized findings and remediation guidance, developers must implement concrete fixes in their service code to eliminate Out Of Bounds Writes.

Remediation focuses on ensuring that payload size and structure are validated independently of signature verification. In FeathersJS, this means adding explicit checks in service hooks before processing signed requests. Developers should define strict schemas for incoming data using libraries like Ajv or FeathersJS hooks validation, and enforce maximum lengths for string fields that could be copied into fixed-size buffers.

Below are concrete, working code examples for FeathersJS services using Hmac Signatures. The first example shows a service that validates payload size and field length within a before hook, ensuring that even a valid Hmac Signature does not bypass bounds checks.

// src/hooks/validate-payload.js
module.exports = function validationHook(options = {}) {
  return async context => {
    const data = context.data || {};
    const maxFieldLength = 32;

    if (typeof data.identifier === 'string' && data.identifier.length > maxFieldLength) {
      throw new Error('identifier exceeds maximum allowed length');
    }

    // Ensure overall payload size is bounded
    const payloadSize = JSON.stringify(data).length;
    const maxPayloadSize = 1024; // bytes
    if (payloadSize > maxPayloadSize) {
      throw new Error('payload size exceeds limit');
    }

    return context;
  };
};

In this hook, the identifier field is checked against a strict maximum length, and the total payload size is bounded. This prevents oversized data from being processed even when accompanied by a valid Hmac Signature. The hook is applied to the service so that every request passes through validation before handlers execute.

The second example integrates the validation hook into a FeathersJS service definition and demonstrates how to use the same Hmac signature verification library while still enforcing bounds. The Hmac verification is performed in an earlier hook, and the validation hook runs subsequently to enforce size constraints.

// src/services/secure-data/secure-data.service.js
const { GeneralHmac } = require('some-hmac-library');
const validationHook = require('./hooks/validate-payload');
const { inspect } = require('util');

class SecureDataService {
  constructor(options) {
    this.options = options || {};
  }

  async find(params) {
    // This example assumes params.query contains validated data after hooks
    return [];
  }

  async get(id, params) {
    return { id, content: 'safe data' };
  }

  async create(data, params) {
    // Core processing after validation and Hmac verification
    return { id: Date.now(), ...data };
  }

  async update(id, data, params) {
    return data;
  }

  async patch(id, data, params) {
    return data;
  }

  async remove(id, params) {
    return {};
  }
}

// Attach hooks
const app = require('..'); // your feathers app
const secureDataService = new SecureDataService();

// Hmac verification hook (simplified)
const hmacHook = {
  before: {
    all: [async context => {
      const signature = context.headers['x-api-signature'];
      const payload = JSON.stringify(context.data || context.params.query);
      const isValid = GeneralHmac.verify(payload, signature, process.env.HMAC_SECRET);
      if (!isValid) {
        throw new Error('Invalid Hmac Signature');
      }
      return context;
    }]
  },
  after: {},
  error: {}
};

app.use('/secure-data', secureDataService);
const service = app.service('secure-data');

// Apply hooks in order: Hmac verification first, then validation
service.hooks([
  hmacHook,
  validationHook
]);

In this setup, the Hmac verification hook runs before validation, ensuring that only requests with a correct signature are considered. However, the validation hook still enforces strict length and size limits, preventing Out Of Bounds Writes. The use of JSON.stringify for size measurement is simplistic and may not reflect exact wire size; in production, consider measuring byte length appropriately for your encoding (e.g., UTF-8).

Additionally, ensure that any internal buffers or allocations derived from signed fields use bounded copies. For example, when copying a string field into a fixed-size buffer, use explicit checks and slice the input rather than relying on automatic coercion.

These steps ensure that Hmac Signatures provide integrity without masking input validation deficiencies. middleBrick can help verify that such controls are present by scanning endpoints and checking input validation rules alongside signature usage.