Limit maximum attack paths

AikidoSec · Dec 9, 2024 · d3ccb3c · d3ccb3c
1 parent b563640
commit d3ccb3c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/library/helpers/attackPath.test.ts b/library/helpers/attackPath.test.ts
@@ -57,3 +57,20 @@ t.test("it works with jwt", async (t) => {
   t.same(get("1234567890", testObj2), [".a.b.c<jwt>.sub"]);
   t.same(get("notfound", testObj2), []);
 });
+
+t.test("maximum match count of 10", async (t) => {
+  const testArr = Array.from({ length: 20 }, () => "test");
+
+  t.same(get("test", testArr), [
+    ".[0]",
+    ".[1]",
+    ".[2]",
+    ".[3]",
+    ".[4]",
+    ".[5]",
+    ".[6]",
+    ".[7]",
+    ".[8]",
+    ".[9]",
+  ]);
+});
diff --git a/library/helpers/attackPath.ts b/library/helpers/attackPath.ts
@@ -1,6 +1,9 @@
 import { isPlainObject } from "./isPlainObject";
 import { tryDecodeAsJWT } from "./tryDecodeAsJWT";
 
+// Maximum match count to return
+const MAX_MATCH_COUNT = 10;
+
 export type PathPart =
   | { type: "jwt" }
   | { type: "object"; key: string }
@@ -37,6 +40,10 @@ export function getPathsToPayload(
   const attackPayloadLowercase = attackPayload.toLowerCase();
 
   const traverse = (value: unknown, path: PathPart[] = []) => {
+    if (matches.length >= MAX_MATCH_COUNT) {
+      return;
+    }
+
     // Handle strings
     if (typeof value === "string") {
       if (value.toLowerCase() === attackPayloadLowercase) {