Security practice

Parameter Checking and Deserialization

That said, with JavaScript, the approach you’re more likely to see in an application looks like this

const temp = JSON.parse(req.body)
const user = new User({name: temp.name, age: temp.age})

What if an attacker sends a massive JSON object, perhaps several megabytes. In that case, the application will slow down when it hits the JSON.parse() method, and it’s also going to use several megabytes of memory. In that case, the attacker may cause server instances to become unresponsive and crash, resulting in a denial of service attack.

One way to fix this is to enforce a maximum request size when receiving request bodies.

The body-parser middleware package used by Express supports a limit flag that does the same thing, defaulting to 100KB.

Malicious npm Packages

At any rate, malicious packages will make their way into applications. One of the most important things Node.js developers can do to reduce the risk of getting one of these malicious packages is to keep the number of dependencies to a minimum

Parameter Checking and Deserialization#

Malicious npm Packages#

Parameter Checking and Deserialization

Malicious npm Packages