Problem
The stopsForLocation endpoint has a Denial of Service (DoS) vulnerability and an inconsistency in error handling:
- DoS Vector: The handler iterates over every comma-separated token in the
routeType parameter. For every invalid token, it appends a new string to the fieldErrors slice without limit. A request with thousands of invalid tokens can cause memory exhaustion (OOM) and CPU spikes.
- Inconsistency: The current error message (
invalid route type: <input>) does not match the application's standard generic format (Invalid field value for field "routeType".) used in internal/utils.
Proposed Solution
Update internal/restapi/stops_for_location_handler.go to:
- Cap Input Size: Limit the number of
routeType tokens processed (e.g., max 100) to prevent CPU exhaustion.
- Cap Error Count: Limit the number of validation errors stored (e.g., max 10) to prevent memory exhaustion.
- Standardize Errors: Use the standard generic error message format to match the rest of the API and pass strict validation tests.
Impact
High. Prevents low-complexity DoS attacks and improves API consistency.
Problem
The
stopsForLocationendpoint has a Denial of Service (DoS) vulnerability and an inconsistency in error handling:routeTypeparameter. For every invalid token, it appends a new string to thefieldErrorsslice without limit. A request with thousands of invalid tokens can cause memory exhaustion (OOM) and CPU spikes.invalid route type: <input>) does not match the application's standard generic format (Invalid field value for field "routeType".) used ininternal/utils.Proposed Solution
Update
internal/restapi/stops_for_location_handler.goto:routeTypetokens processed (e.g., max 100) to prevent CPU exhaustion.Impact
High. Prevents low-complexity DoS attacks and improves API consistency.