# Denial of Service via Unbounded Child Processes

- ID: javascript-unbounded-exec-dos
- Severity: MEDIUM
- CWE: Resource Exhaustion (CWE-400)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs

## Description

Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion

This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).

## Detection Message

Child process execution at {sink} lacks resource limits (timeout/maxBuffer).
Commands like ping, git clone, curl, or npm install can hang indefinitely or flood memory.
This enables DoS attacks through resource exhaustion.

## Remediation

Configure timeout and maxBuffer for child process execution:

```javascript
const { exec } = require('child_process');
const { promisify } = require('util');
const execPromise = promisify(exec);

const { stdout } = await execPromise(`ping -c 4 ${domain}`, {
  timeout: 5000,
  maxBuffer: 1024 * 100
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-400/unbounded-exec-dos

## Documentation

[object Object]

## Related Rules

- **LLM Denial of Service** [MEDIUM]: 
- **Missing Request Size Limits** [MEDIUM]: 
- **Denial of Service via Resource Exhaustion** [MEDIUM]: 
- **LLM Denial of Service** [MEDIUM]: 
- **Missing Resource Limits** [MEDIUM]: