github
diff --git a/‎change-notes/1.25/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.25/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/config/suites/javascript/security‎
Lines changed: 1 addition & 0 deletions b/‎javascript/config/suites/javascript/security‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/ql/src/Security/CWE-770/MemoryExhaustion.qhelp‎
Lines changed: 0 additions & 22 deletions b/‎javascript/ql/src/Security/CWE-770/MemoryExhaustion.qhelp‎
Lines changed: 0 additions & 22 deletions
diff --git a/‎javascript/ql/src/Security/CWE-770/MemoryExhaustion.ql‎
Lines changed: 0 additions & 225 deletions b/‎javascript/ql/src/Security/CWE-770/MemoryExhaustion.ql‎
Lines changed: 0 additions & 225 deletions
diff --git a/‎javascript/ql/src/Security/CWE-770/ResourceExhaustion.qhelp‎
Lines changed: 82 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-770/ResourceExhaustion.qhelp‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql‎
Lines changed: 20 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array.js‎
Lines changed: 10 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array.js‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array_fixed.js‎
Lines changed: 16 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array_fixed.js‎
Lines changed: 16 additions & 0 deletions
@@ -37,6 +37,7 @@
 | Unsafe expansion of self-closing HTML tag (`js/unsafe-html-expansion`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags. |
 | Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default. |
 | Improper code sanitization (`js/bad-code-sanitization`) | security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default. |
+| Resource exhaustion (`js/resource-exhaustion`) | security, external/cwe/cwe-770 | Highlights operations that may cause the resources of the application to be exhausted. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 
 
@@ -44,6 +44,7 @@
 + semmlecode-javascript-queries/Security/CWE-730/RegExpInjection.ql: /Security/CWE/CWE-730
 + semmlecode-javascript-queries/Security/CWE-754/UnvalidatedDynamicMethodCall.ql: /Security/CWE/CWE-754
 + semmlecode-javascript-queries/Security/CWE-770/MissingRateLimiting.ql: /Security/CWE/CWE-770
++ semmlecode-javascript-queries/Security/CWE-770/ResourceExhaustion.ql: /Security/CWE/CWE-770
 + semmlecode-javascript-queries/Security/CWE-776/XmlBomb.ql: /Security/CWE/CWE-776
 + semmlecode-javascript-queries/Security/CWE-798/HardcodedCredentials.ql: /Security/CWE/CWE-798
 + semmlecode-javascript-queries/Security/CWE-807/ConditionalBypass.ql: /Security/CWE/CWE-807
 
@@ -0,0 +1,82 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+
+	Applications are constrained by how many resources they can make use
+	of, failing to respect these constraints may cause the application to
+	be unresponsive or crash. It is therefore be problematic if attackers
+	can control the sizes or lifetimes of allocated objects.
+
+</overview>
+
+<recommendation>
+
+	Ensure that attackers can not control object sizes and their
+	lifetimes. If object sizes and lifetimes must be controlled by
+	external parties, ensure to restrict the object sizes and lifetimes to
+	be within accptable ranges.
+
+</recommendation>
+
+<example>
+
+	The following example allocates a buffer with a user-controlled
+	size.
+
+	<sample src="examples/ResourceExhaustion_buffer.js" />
+
+	This is problematic since an attacker can choose a size
+	that makes the application run out of memory. Even worse, in older
+	versions of Node.js, this could leak confidential memory.
+
+	To prevent such attacks, limit the buffer size:
+
+	<sample src="examples/ResourceExhaustion_buffer_fixed.js" />
+
+</example>
+
+<example>
+
+	As another example, consider an application that allocates an
+	array with a user-controlled size, and then fills it with values:
+
+	<sample src="examples/ResourceExhaustion_array.js" />
+
+	The allocation of the array itself is not problematic since arrays are
+	allocated sparsely, but the subsequent filling of the array will take
+	a long time, causing the application to be unresponsive, or even run
+	out of memory.
+
+	Again, a limit on the size will prevent the attack:
+
+	<sample src="examples/ResourceExhaustion_array_fixed.js" />
+
+</example>
+
+<example>
+
+	Finally, the following example lets a user choose delay after
+	which a function is executed:
+
+	<sample src="examples/ResourceExhaustion_timeout.js" />
+
+	This is problematic because a large delay essentially makes the
+	application wait indefinitely before executing the function. Repeated
+	registrations of such delays will therefore use up all of the memory
+	in the application.
+
+	Again, a limit on the delay will prevent the attack:
+
+	<sample src="examples/ResourceExhaustion_timeout_fixed.js" />
+
+
+</example>
+
+<references>
+
+</references>
+
+</qhelp>
@@ -0,0 +1,20 @@
+/**
+ * @name Resource exhaustion
+ * @description Allocating objects or timers with user-controlled
+ *              sizes or durations can cause resource exhaustion.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id js/resource-exhaustion
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-770
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.ResourceExhaustion::ResourceExhaustion
+
+from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
+where dataflow.hasFlowPath(source, sink)
+select sink, source, sink, sink.getNode().(Sink).getProblemDescription() + " from $@.", source,
+  "here"
@@ -0,0 +1,10 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	let dogs = new Array(size).fill(x => "dog"); // BAD
+
+	// ... use the dogs
+});
@@ -0,0 +1,16 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	if (size > 1024) {
+		res.statusCode = 400;
+		res.end("Bad request.");
+		return;
+	}
+
+	let dogs = new Array(size).fill(x => "dog"); // GOOD
+
+	// ... use the dogs
+});