Unchecked dynamic invocation in mockotlpserver http leading to possible request crash

[liamanderson-dev]

elastic-otel-node/packages/mockotlpserver/lib/http.js

Line 228 in 6bf6e63

const parseData = parsersMap[contentType] || unknownParser;

The mockotlpserver HTTP handler performs a dynamic lookup and invocation of an action based on a client-supplied identifier without sufficiently validating that the lookup yields a callable function or that the property is an own property of the actions map. If a client supplies an invalid or unexpected action name, the handler may attempt to call a non-function and throw a TypeError. If not handled properly, this can be triggered by remote clients and cause request failures or service instability (denial-of-service).

Details

• The code looks up an action by name (from the request) and calls the result directly without ensuring:

  1. The looked-up value is an own property of the action map (i.e., not an inherited prototype property).
  2. The looked-up value is actually a function (typeof value === 'function') before invocation.

• In JavaScript, dynamic property access can resolve to undefined, non-function values, or inherited methods (such as those on Object.prototype) that will throw if invoked with unexpected arguments. Attempting to call a non-function will raise a TypeError and, if unhandled, may bubble and result in request failures or process instability.

• The handler is exposed to network clients (mock OTLP server), so this vector is reachable by untrusted input.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype