Out-of-bounds read in Buffer API methods
Description
The application is using Buffer API methods with the `noAssert` parameter set to `true` for the read buffer methods, which disables bounds checking and could result in reading beyond the end of the buffer, leading to potential memory corruption and security vulnerabilities.
Examples
Insecure Code
javascript
buf.readUInt8(offset, true);Secure Code
javascript
if (offset < buf.length) { buf.readUInt8(offset); }Remediation
Ensure that the `noAssert` parameter is not set to `true` and always use bounds checking to prevent out-of-bounds memory access. Validate the offset before performing read operations on the buffer.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0191 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-125 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | buffer overflow, out-of-bounds read |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |