Browser SecurityRules
require-blob-url-revocation
Require revoking Blob URLs after use to prevent memory leaks.
Require revoking Blob URLs after use to prevent memory leaks.
⚠️ Security Issue
| Property | Value |
|---|---|
| CWE | CWE-401: Memory Leak |
| OWASP | A04:2021 - Insecure Design |
| CVSS | 5.3 (Medium) |
| Severity | MEDIUM |
📋 Description
Blob URLs created with URL.createObjectURL() consume memory until explicitly revoked with URL.revokeObjectURL(). Failing to revoke them causes memory leaks that can impact application performance and stability.
❌ Incorrect
// Creating blob URL without revocation
const url = URL.createObjectURL(blob);
img.src = url;
// No revocation - memory leak!
// In a loop - major memory leak
files.forEach((file) => {
const url = URL.createObjectURL(file);
preview.src = url;
});✅ Correct
// Revoke after use
const url = URL.createObjectURL(blob);
img.src = url;
img.onload = () => URL.revokeObjectURL(url);
// Cleanup on component unmount (React example)
useEffect(() => {
const url = URL.createObjectURL(file);
setPreviewUrl(url);
return () => URL.revokeObjectURL(url);
}, [file]);🛠️ Options
{
"rules": {
"@interlace/browser-security/require-blob-url-revocation": [
"error",
{
"allowInTests": true
}
]
}
}Known False Negatives
The following patterns are not detected due to static analysis limitations:
URL Stored Globally
Why: Global scope tracking not performed.
// ❌ NOT DETECTED - Global storage
window.blobUrl = URL.createObjectURL(blob);
// Revocation may happen elsewhereMitigation: Track blob URLs explicitly. Use cleanup utilities.
Revocation in Different File
Why: Cross-file analysis not performed.
// ❌ NOT DETECTED - Create in one file, revoke in another
export const url = URL.createObjectURL(blob);
// blobManager.js: revokeAll()Mitigation: Keep creation and revocation in same scope.
Framework Lifecycle
Why: Framework cleanup hooks not recognized.
// ❌ NOT DETECTED - Angular OnDestroy
ngOnDestroy() { URL.revokeObjectURL(this.url); }Mitigation: Framework-specific linting. Code review.