Fix Unrestricted Resource Consumption in Feathers

FeathersJS services are high-velocity, but without strict resource boundaries, they are trivial to DoS. By default, many adapters allow users to pass unbounded '$limit' parameters or massive payloads that can exhaust heap memory and database connections. To secure a Feathers app, you must enforce server-side pagination limits and restrict the incoming request body size.

The Vulnerable Pattern

const { Service } = require('feathers-memory');
// VULNERABLE: No pagination limits defined.
// An attacker can call /messages?$limit=1000000 to crash the process.
module.exports = function (app) {
app.use(‘/messages’, new Service());
};

The Secure Implementation

The vulnerability lies in trusting client-provided query parameters. An attacker can manipulate the '$limit' query to force the server to fetch and buffer millions of records, leading to Out-of-Memory (OOM) errors. The fix implements a 'max' pagination limit which Feathers uses to clamp the '$limit' parameter server-side. Additionally, we use Express middleware to restrict the JSON body size, preventing attackers from sending massive arrays or strings designed to spike CPU usage during parsing.

const { Service } = require('feathers-memory');
const express = require('@feathersjs/express');
module.exports = function (app) {
// 1. Enforce payload size limits at the Express level
app.use(express.json({ limit: ‘10kb’ }));
app.use(express.urlencoded({ extended: true, limit: ‘10kb’ }));
// 2. Enforce hard pagination limits on the service
app.use(‘/messages’, new Service({
paginate: {
default: 10,
max: 50 // Hard cap: even if client sends $limit=9999, it clamps to 50
}
}));
};