event-loop-lag suffers a DoS issue with a over 32-bit signed integer of argument #15
Description
Version
node v22.11.0
npm 10.9.0
Platform
Linux u24vm 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
What steps will reproduce the bug?
- Try to install the package: event-loop-lag
a. npm init -y
b. npm shrinkwrap
c. npm install --save event-loop-lag
d. npm audit fix
the final package.json is as follows:
{
"name": "package-f193893ddb5cb31ca29696269cfd6ee6",
"version": "1.0.0",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"description": "",
"dependencies": {
"event-loop-lag": "^1.4.0"
}
}
- Setup a node instance,
node
- and run the following javascript code.
var lib = await import('event-loop-lag');
var result = lib.default(3471846583);
Then the node instance will stuck in an infinite loop and continuously output TimeoutOverflowWarning message:
(node:1083637) TimeoutOverflowWarning: 3471846583 does not fit into a 32-bit signed integer.
Timeout duration was set to 1.
(node:1083637) TimeoutOverflowWarning: 3471846583 does not fit into a 32-bit signed integer.
Timeout duration was set to 1.
(node:1083637) TimeoutOverflowWarning: 3471846583 does not fit into a 32-bit signed integer.
Timeout duration was set to 1.
...
How often does it reproduce? Is there a required condition?
This issue can always be triggered following the steps above.
What is the expected behavior? Why is that the expected behavior?
before passing the number parameter to setTimeout, check if the number size fit the requirement of setTimeout (fit into a 32-bit signed integer) to avoid the DoS attack.