Create rule S6639: Memory allocations should not be vulnerable to Den…

…ial of Service attacks (#3153)
SonarSource · Sep 28, 2023 · 7dd1082 · 7dd1082
1 parent c40e726
commit 7dd1082
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/rules/S6639/python/metadata.json b/rules/S6639/python/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S6639/python/rule.adoc b/rules/S6639/python/rule.adoc
@@ -0,0 +1,64 @@
+include::../common/description.adoc[]
+
+== Why is this an issue?
+
+include::../common/rationale.adoc[]
+
+=== What is the potential impact?
+
+include::../common/impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+def example():
+    limit = int(request.args.get('limit'))
+
+    data = '#' * limit  # Noncompliant
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+def example():
+    limit = int(request.args.get('limit'))
+    restricted_limit = min(10, limit)
+
+    data = '#' * restricted_limit
+----
+
+=== How does this work?
+
+include::../common/fix/upper-limit.adoc[]
+
+Here, the example compliant code uses the `min` function to enforce a
+reasonable upper bound to the allocation size. In that case, no more than 10
+bytes can be allocated at a time.
+
+include::../common/fix/environment-hardening.adoc[]
+
+== Resources
+=== Documentation
+
+include::../common/resources/documentation.adoc[]
+
+=== Standards
+
+include::../common/resources/standards.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../common/message.adoc[]
+
+'''