[PR #3820] [CLOSED] Fix Loop bound injection via preserveCamelCase #4419

Closed
opened 2026-02-22 18:35:47 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/3820
Author: @odaysec
Created: 5/13/2025
Status: Closed

Base: masterHead: patch-1


📝 Commits (2)

  • a4d816e Update camelcase.js
  • b21aee5 Merge branch 'master' into patch-1

📊 Changes

1 file changed (+4 additions, -0 deletions)

View changed files

📝 server/utils/helpers/camelcase.js (+4 -0)

📄 Description

Pull Request Type

https://github.com/Mintplex-Labs/anything-llm/blob/adf7e8a9a7153690e0d66981425827c288b741cc/server/utils/helpers/camelcase.js#L25-L25

fix the issue need to validate the string parameter in the preserveCamelCase function to ensure it is a legitimate string with a reasonable length. This can be achieved by:

  1. Adding a check at the beginning of the preserveCamelCase function to ensure string is a string and its length is within acceptable bounds.
  2. If the string parameter fails validation, we should throw an error or return a default value to prevent further processing.

Using the .length property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the .length property to a very large number, when a program that expects an array is passed a JSON object such as {length: 1e100}, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.

Recommendation

Either check that the object is indeed an array or limit the size of the .length property.

  • feat
  • 🐛 fix
  • ♻️ refactor
  • 💄 style
  • 🔨 chore
  • 📝 docs

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/3820 **Author:** [@odaysec](https://github.com/odaysec) **Created:** 5/13/2025 **Status:** ❌ Closed **Base:** `master` ← **Head:** `patch-1` --- ### 📝 Commits (2) - [`a4d816e`](https://github.com/Mintplex-Labs/anything-llm/commit/a4d816eee443b1ba6ff34a4c15f0c07ee3a884a8) Update camelcase.js - [`b21aee5`](https://github.com/Mintplex-Labs/anything-llm/commit/b21aee5d7edd966237d0cff2ac80628edd03188f) Merge branch 'master' into patch-1 ### 📊 Changes **1 file changed** (+4 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `server/utils/helpers/camelcase.js` (+4 -0) </details> ### 📄 Description ### Pull Request Type https://github.com/Mintplex-Labs/anything-llm/blob/adf7e8a9a7153690e0d66981425827c288b741cc/server/utils/helpers/camelcase.js#L25-L25 fix the issue need to validate the `string` parameter in the `preserveCamelCase` function to ensure it is a legitimate string with a reasonable length. This can be achieved by: 1. Adding a check at the beginning of the `preserveCamelCase` function to ensure `string` is a string and its length is within acceptable bounds. 2. If the `string` parameter fails validation, we should throw an error or return a default value to prevent further processing. --- Using the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack. ## Recommendation Either check that the object is indeed an array or limit the size of the `.length` property. <!-- For change type, change [ ] to [x]. --> - [ ] ✨ feat - [x] 🐛 fix - [ ] ♻️ refactor - [ ] 💄 style - [ ] 🔨 chore - [ ] 📝 docs ### Developer Validations <!-- All of the applicable items should be checked. --> - [ ] I ran `yarn lint` from the root of the repo & committed changes - [x] Relevant documentation has been updated - [x] I have tested my code functionality - [x] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:35:47 -05:00
yindo closed this issue 2026-02-22 18:35:48 -05:00
yindo changed title from [PR #3820] Fix Loop bound injection via `preserveCamelCase` to [PR #3820] [CLOSED] Fix Loop bound injection via `preserveCamelCase` 2026-06-05 15:18:28 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#4419