Enforcing a maximum HTTP request content length limits how much data the server must accept per request, which helps control resource use and reduces the risk of denial-of-service attacks.
Accepting HTTP requests without an upper bound on their content length exposes the application to Denial of Service (DoS) attacks. An attacker can send arbitrarily large requests that exhaust server memory, disk space, or processing capacity before the application can reject them. This rule detects when no maximum content length is configured, or when the configured limit exceeds the recommended thresholds (8 MB for file uploads, 2 MB for other requests).
An attacker who can send oversized HTTP requests can exhaust server resources—memory, CPU threads, or network bandwidth—causing the application to slow down or become completely unavailable. Even a single large upload can tie up a worker process and prevent other users from being served.
Set maxFileSize to restrict the size of uploaded files to 8 MB or less.
const form = new Formidable(); form.maxFileSize = 10000000 // Noncompliant const formDefault = new Formidable(); // Noncompliant
const form = new Formidable(); form.maxFileSize = 8000000;
Set limits.fileSize to restrict the size of uploaded files to 8 MB or less.
let diskUpload = multer({
storage: diskStorage,
limits: {
fileSize: 10000000 // Noncompliant
}
});
let diskUploadUnlimited = multer({ // Noncompliant
storage: diskStorage,
});
let diskUpload = multer({
storage: diskStorage,
limits: {
fileSize: 8000000
}
});
Set the limit option to restrict the request body size to 2 MB or less for non-file-upload requests.
// 4MB is more than the recommended limit of 2MB for non-file-upload requests
let jsonParser = bodyParser.json({ limit: "4mb" }); // Noncompliant
let urlencodedParser = bodyParser.urlencoded({ extended: false, limit: "4mb" }); // Noncompliant
let jsonParser = bodyParser.json({ limit: "2mb" });
let urlencodedParser = bodyParser.urlencoded({ extended: false, limit: "2mb" });