Create rule S6639: Memory allocations should not be vulnerable to Denial of Service attacks (#3153)

2023-09-28 09:09:02 +02:00 · 2023-09-28 09:09:02 +02:00 · 7dd10827b3
commit 7dd10827b3
parent c40e726e6c
2 changed files with 66 additions and 0 deletions
--- a/rules/S6639/python/metadata.json
+++ b/rules/S6639/python/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6639/python/rule.adoc
+++ b/rules/S6639/python/rule.adoc
@ -0,0 +1,64 @@
+include::../common/description.adoc[]
+
+== Why is this an issue?
+
+include::../common/rationale.adoc[]
+
+=== What is the potential impact?
+
+include::../common/impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+def example():
+    limit = int(request.args.get('limit'))
+
+    data = '#' * limit  # Noncompliant
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+def example():
+    limit = int(request.args.get('limit'))
+    restricted_limit = min(10, limit)
+
+    data = '#' * restricted_limit
+----
+
+=== How does this work?
+
+include::../common/fix/upper-limit.adoc[]
+
+Here, the example compliant code uses the `min` function to enforce a
+reasonable upper bound to the allocation size. In that case, no more than 10
+bytes can be allocated at a time.
+
+include::../common/fix/environment-hardening.adoc[]
+
+== Resources
+=== Documentation
+
+include::../common/resources/documentation.adoc[]
+
+=== Standards
+
+include::../common/resources/standards.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../common/message.adoc[]
+
+'''