Stack Overflow in Adonisjs with Dynamodb

AdonisJS encourages rapid development with its ORM-like abstraction, yet when paired with DynamoDB directly, developers may inadvertently introduce unsafe pagination or unbounded query patterns that amplify the risk of Stack Overflow in the API surface. A Stack Overflow here refers to an input-driven resource exhaustion that degrades service stability, not a traditional memory stack overflow in the runtime. This typically arises when an endpoint accepts pagination parameters such as page and limit without strict validation, allowing an attacker to request prohibitively large pages or trigger repeated scans against DynamoDB.

DynamoDB itself is a managed NoSQL service, but the way an AdonisJS application constructs requests determines exposure. For example, a developer using the AWS SDK for JavaScript within an AdonisJS controller might write a query like params = { TableName: 'items', Limit: 100, ExclusiveStartKey: lastKey }. If Limit is sourced directly from user input without capping, an attacker can set limit to a very high value, causing the application to consume excessive memory while buffering results and increasing the load on DynamoDB. In combination with AdonisJS route handling that does not enforce request rate limits, this can lead to resource exhaustion across the request pipeline, effectively creating a denial-of-service condition through oversized responses and prolonged processing.

Moreover, the interaction between DynamoDB’s pagination model and AdonisJS’s route or controller logic can expose sensitive data if pagination tokens are mishandled. Suppose an endpoint exposes nextToken in the response and reflects it directly into HTML or JSON without validation. An attacker could manipulate this token to scan through large datasets, triggering repeated scans and increasing the likelihood of inadvertently retrieving unintended items. This behavior is especially risky when DynamoDB tables contain high-cardinality indexes or when queries rely on secondary indexes that return large result sets. The lack of server-side enforcement on page size and token validity in the AdonisJS layer compounds the issue, turning what should be efficient data retrieval into a vector for abuse.

Another contributing factor is the absence of input schema validation for pagination fields. If AdonisJS routes do not explicitly validate that limit is a positive integer within a safe range, or that offset is non-negative, malformed or malicious payloads can force the application to construct invalid DynamoDB requests. Such requests may trigger unexpected internal retries or backpressure in the SDK, which can manifest as high latency or memory pressure. Because DynamoDB charges and scales based on read capacity, unbounded queries can also lead to cost amplification and noisy neighbor effects within shared provisioned capacity, indirectly affecting availability.

To illustrate the risk, consider an AdonisJS route like the following, where user-supplied values flow into DynamoDB without safeguards:

import { schema } from '@ioc:Adonis/Core/Validator'
import { DateTime } from 'luxon'
import { DynamoDBDocumentClient, QueryCommand } from '@aws-sdk/lib-dynamodb'

const itemsRoute = async ({ request, response }) => {
  const pageInput = request.qs()
  const params = {
    TableName: 'items',
    IndexName: 'status-index',
    KeyConditionExpression: 'status = :statusVal',
    ExpressionAttributeValues: {
      ':statusVal': 'active',
    },
    Limit: pageInput.limit, // unsafe: directly from user
    ExclusiveStartKey: pageInput.token ? JSON.parse(pageInput.token) : undefined,
  }
  const command = new QueryCommand(params)
  const data = await ddbDocClient.send(command)
  return response.send(data)
}

In this example, limit and token are taken directly from the request, bypassing any capping or deserialization checks. An attacker can set limit=10000 or craft a malicious token to force large scans, leading to Stack Overflow-like resource exhaustion in the application layer and potential service degradation.

Remediation focuses on enforcing strict input validation, capping page sizes, and avoiding the direct exposure of pagination tokens. In AdonisJS, leverage schema validation to ensure that limit is a bounded integer and that pagination tokens are treated as opaque values rather than parsed structures. This prevents malformed or oversized requests from reaching DynamoDB and reduces the attack surface for resource exhaustion.

Define a validator that caps limit to a safe maximum (e.g., 100) and ensures offset or token values are strings that are not directly deserialized into objects before being used in DynamoDB requests. For example:

import { schema } from '@ioc:Adonis/Core/Validator'

const itemsQuerySchema = schema.create({
  limit: schema.number.optional([schema.unsigned(), schema.range(1, 100)]),
  token: schema.string.optional(),
})

Use this schema in your route handler to sanitize inputs before constructing DynamoDB parameters:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { DynamoDBDocumentClient, QueryCommand } from '@aws-sdk/lib-dynamodb'

const itemsRoute = async ({ request, response }: HttpContextContract) => {
  const validated = await request.validate({ schema: itemsQuerySchema })
  const limit = validated.limit || 50
  const params = {
    TableName: 'items',
    IndexName: 'status-index',
    KeyConditionExpression: 'status = :statusVal',
    ExpressionAttributeValues: {
      ':statusVal': 'active',
    },
    Limit: limit,
  }
  if (validated.token) {
    params.ExclusiveStartKey = JSON.parse(validated.token)
  }
  const command = new QueryCommand(params)
  const data = await ddbDocClient.send(command)
  const nextToken = data.LastEvaluatedKey ? JSON.stringify(data.LastEvaluatedKey) : ''
  return response.send({ items: data.Items, nextToken })
}

This approach ensures that limit cannot exceed a safe threshold, and the token is kept as a string when passed to the client, avoiding inadvertent parsing on the client side. When storing or transmitting tokens, treat them as opaque cursors rather than structured data to prevent token manipulation attacks.

Additionally, enforce global request rate limits within AdonisJS to mitigate repeated scans. In your route configuration, apply middleware that caps requests per IP over a sliding window. For DynamoDB-specific protections, consider using ReturnConsumedCapacity to monitor read capacity usage and set alarms for unusual spikes. Combine this with the Pro plan from middleBrick to enable continuous monitoring of your API endpoints; it integrates with your CI/CD pipeline via the GitHub Action to fail builds if risk scores degrade, and the MCP Server allows scanning directly from your AI coding assistant to catch insecure patterns early.

Finally, rotate and audit access keys used by the AdonisJS application, and scope IAM policies to the least privilege necessary for each DynamoDB operation. Regularly review CloudTrail logs for anomalous query patterns, such as repeated scans with high limit values or frequent pagination, which may indicate reconnaissance or abuse. By capping page sizes, validating inputs, and avoiding direct token reinterpretation, you reduce the likelihood of Stack Overflow–style disruptions and ensure that DynamoDB interactions remain efficient and safe within your AdonisJS application.