From d3ccb3ce9c827ed6f03fb523524d0575ae080e79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20K=C3=B6ssler?= <info@timokoessler.de>
Date: Mon, 9 Dec 2024 14:15:21 +0100
Subject: [PATCH] Limit maximum attack paths

---
 library/helpers/attackPath.test.ts | 17 +++++++++++++++++
 library/helpers/attackPath.ts      |  7 +++++++
 2 files changed, 24 insertions(+)

diff --git a/library/helpers/attackPath.test.ts b/library/helpers/attackPath.test.ts
index c63d6fb9..fc772370 100644
--- a/library/helpers/attackPath.test.ts
+++ b/library/helpers/attackPath.test.ts
@@ -57,3 +57,20 @@ t.test("it works with jwt", async (t) => {
   t.same(get("1234567890", testObj2), [".a.b.c<jwt>.sub"]);
   t.same(get("notfound", testObj2), []);
 });
+
+t.test("maximum match count of 10", async (t) => {
+  const testArr = Array.from({ length: 20 }, () => "test");
+
+  t.same(get("test", testArr), [
+    ".[0]",
+    ".[1]",
+    ".[2]",
+    ".[3]",
+    ".[4]",
+    ".[5]",
+    ".[6]",
+    ".[7]",
+    ".[8]",
+    ".[9]",
+  ]);
+});
diff --git a/library/helpers/attackPath.ts b/library/helpers/attackPath.ts
index 736a7a0a..71a9753f 100644
--- a/library/helpers/attackPath.ts
+++ b/library/helpers/attackPath.ts
@@ -1,6 +1,9 @@
 import { isPlainObject } from "./isPlainObject";
 import { tryDecodeAsJWT } from "./tryDecodeAsJWT";
 
+// Maximum match count to return
+const MAX_MATCH_COUNT = 10;
+
 export type PathPart =
   | { type: "jwt" }
   | { type: "object"; key: string }
@@ -37,6 +40,10 @@ export function getPathsToPayload(
   const attackPayloadLowercase = attackPayload.toLowerCase();
 
   const traverse = (value: unknown, path: PathPart[] = []) => {
+    if (matches.length >= MAX_MATCH_COUNT) {
+      return;
+    }
+
     // Handle strings
     if (typeof value === "string") {
       if (value.toLowerCase() === attackPayloadLowercase) {