Stack Overflow in Adonisjs with Firestore
Stack Overflow in Adonisjs with Firestore — how this specific combination creates or exposes the vulnerability
When an AdonisJS application uses Google Cloud Firestore as a backend, unbounded recursive document references and deeply nested map structures can lead to uncontrolled memory growth during query traversal. This combination exposes a Stack Overflow risk because recursive resolution of document paths or repeated deep object destructuring may exceed the call stack limit, especially when Firestore returns large nested maps or when developer code recursively traverses references without depth limiting.
AdonisJS typically handles request processing within an async context that relies on JavaScript’s event loop. If route handlers or service classes recursively await Firestore document snapshots without bounding recursion depth—for example, resolving a chain of parent references via recursive async functions—each recursive call consumes stack frames. With sufficiently deep or cyclic references, this results in a RangeError: Maximum call stack size exceeded, crashing the request and potentially exposing internal stack traces.
Additionally, Firestore’s nested map structures can amplify risk when developers directly destructure or spread deeply nested fields into plain JavaScript objects. Large nested payloads processed recursively (e.g., traversing category trees or comment threads) can trigger stack overflows if the recursion is not capped. Because AdonisJS often serializes such nested results into JSON responses, unbounded traversal of Firestore documents can lead to denial of service via stack exhaustion before data ever reaches the client.
Insecure default configurations can exacerbate the issue. If Firestore security rules or application-level validation do not limit document depth or array sizes, an attacker may craft requests that induce deep recursive traversal. Without proper input constraints and recursion guards, the API surface remains vulnerable to stack-based attacks that are detectable through security scans focused on input validation and rate limiting.
Firestore-Specific Remediation in Adonisjs — concrete code fixes
To mitigate Stack Overflow risks when integrating Firestore with AdonisJS, enforce strict recursion limits and avoid unbounded traversal of nested document structures. Prefer iterative algorithms with explicit stacks or queues over recursive approaches when walking Firestore reference chains.
Iterative traversal with depth limit
Replace recursive async resolution with an iterative breadth-first approach capped at a safe depth (e.g., 5). This prevents unbounded call growth while preserving document graph navigation.
import { DateTime } from 'luxon'
import { Firestore, doc, getDoc } from 'firebase-admin/firestore'
async function resolveDocumentChain(startRef, maxDepth = 5) {
let queue = [{ ref: startRef, depth: 0 }]
const results = []
while (queue.length > 0) {
const { ref, depth } = queue.shift()
if (depth >= maxDepth) continue
const snap = await getDoc(ref)
if (!snap.exists()) continue
results.push({ id: snap.id, data: snap.data() })
const nextRef = snap.data().parentRef // assume a known reference field
if (nextRef) {
queue.push({ ref: nextRef, depth: depth + 1 })
}
}
return results
}
// Usage in a controller
async resolveChain({ request }) {
const startId = request.param('id')
const rootRef = doc(Firestore, 'nodes', startId)
const chain = await resolveDocumentChain(rootRef, 5)
return chain
}Safe deserialization of nested Firestore maps
When Firestore documents contain deeply nested maps, avoid recursive destructuring. Instead, use a controlled flattening utility that respects depth constraints and discards or truncates paths beyond a threshold.
function safeFlatten(obj, maxDepth = 4, currentDepth = 0) {
if (currentDepth >= maxDepth || typeof obj !== 'object' || obj === null) {
return { value: obj }
}
const out = {}
for (const [key, val] of Object.entries(obj)) {
out[key] = safeFlatten(val, maxDepth, currentDepth + 1)
}
return out
}
// In a route handler
async showDocument({ params }) {
const docSnap = await getDoc(doc(Firestore, 'reports', params.id))
if (!docSnap.exists()) {
return Response.json({ error: 'not found' }, { status: 404 })
}
const payload = safeFlatten(docSnap.data(), 4)
return Response.json(payload)
}Input validation and schema constraints
Use AdonisJS schema validation to reject documents with excessive nesting or array sizes before processing. This prevents malicious payloads from triggering deep traversal in application logic.
import { schema } from '@ioc:Adonis/Core/Validator'
const documentSchema = schema.create({
id: schema.string(),
parentId: schema.maybe.nullable(schema.string()),
// Limit nested object depth through custom rules or size caps
metadata: schema.object({}, {
objectMembersLimit: 50,
// custom helper to enforce max nesting
validateNestedDepth(value, depth = 0) {
if (depth > 4) return false
if (value && typeof value === 'object' && !Array.isArray(value)) {
return Object.values(value).every((v) =>
this.validateNestedDepth(v, depth + 1)
)
}
return true
},
}),
})
export const storeDocumentValidator = schema.compile({
schema: documentSchema,
})
// In controller
async store({ request, response }) {
const payload = request.validate({ schema: storeDocumentValidator })
// safe to process
return response.json({ ok: true })
}Monitoring and runtime guards
Instrument recursive functions with stack depth telemetry and enforce timeouts to avoid long-running or cyclic traversals. Combine Firestore query constraints with application-level guards to reduce exposure.