Out-of-bounds write in Buffer API
Description
The application is using Buffer API methods with the `noAssert` parameter set to `true` for the write buffer methods, which disables bounds checking and could result in writing beyond the end of the buffer, leading to potential memory corruption and security vulnerabilities.
Examples
Insecure Code
javascript
const buffer = Buffer.alloc(10); buffer.writeUInt8(0, 15, true);Secure Code
javascript
const buffer = Buffer.alloc(10); if (5 < buffer.length) { buffer.writeUInt8(0, 5); }Remediation
Ensure that the `noAssert` parameter is not set to `true` and always use bounds checking to prevent out-of-bounds memory access. Validate the offset before performing write operations on the buffer.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0192 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-787 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | buffer overflow, out-of-bounds write |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |