@codemod/koa-body-parser-size-limits
Transform Koa.js applications using koa-body or koa-bodyparser without size limits to include proper limits and prevent DoS attacks through large payloads.
Security Issue
Koa.js applications without request body size limits are vulnerable to DoS attacks through large payloads (CWE-770: Allocation of Resources Without Limits or Throttling). This codemod adds jsonLimit and formLimit configurations to koa-body and koa-bodyparser middleware to prevent resource exhaustion attacks.
Installation
bash
What it does
This codemod automatically adds size limits to Koa body parser middleware configurations:
Before
javascript
After
javascript
Supported Patterns
- koa-body middleware calls (ES6 imports, CommonJS requires, various aliases)
- koa-bodyparser middleware calls (ES6 imports, CommonJS requires, various aliases)
- Existing configuration objects (adds missing limits)
- Multiple import patterns: default imports, namespace imports, aliased imports
Examples
CommonJS require:
javascript
Existing configuration:
javascript
Namespace imports:
javascript
What it skips
- Files already containing both jsonLimit and formLimit configurations
- Test files (*.test.js, *.spec.js, files containing describe() or it())
- Files with non-koa body parser middleware
- Files where body parsing is disabled entirely
Configuration
The default size limits are set to 10mb for both JSON and form data. This is a reasonable default that balances security with functionality. You can manually adjust these limits based on your application's specific requirements after the transformation.
Security References
- CWE-770: Allocation of Resources Without Limits or Throttling
- koa-body Options Documentation
- koa-bodyparser Options Documentation
Development
bash
License
MIT