Interlace ESLint
ESLint Interlace
MongoDBRules

no-unbounded-find

Requires `limit()` on find queries to prevent resource exhaustion from unbounded result sets.

Keywords: CWE-400, resource exhaustion, limit, MongoDB, DoS, security

Requires limit() on find queries to prevent resource exhaustion from unbounded result sets.

⚠️ This rule warns by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-400 (Resource Exhaustion)
OWASPA04:2021 - Insecure Design
SeverityLow (CVSS: 4.3)
CategorySecurity / Performance

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-400 OWASP:A06 CVSS:7.5 | Uncontrolled Resource Consumption (ReDoS) detected | HIGH
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/

Message Components

ComponentPurposeExample
Risk StandardsSecurity benchmarksCWE-400 OWASP:A06 CVSS:7.5
Issue DescriptionSpecific vulnerabilityUncontrolled Resource Consumption (ReDoS) detected
Severity & ComplianceImpact assessmentHIGH
Fix InstructionActionable remediationFollow the remediation steps below
Technical TruthOfficial referenceOWASP Top 10

Rule Details

Unbounded queries can:

  • Exhaust server memory
  • Cause denial of service
  • Impact database performance
  • Expose excessive data

❌ Incorrect

// No limit - could return millions of documents
const users = await User.find({ active: true });

// Cursor without limit
const cursor = db.collection('logs').find({});

✅ Correct

// Explicit limit
const users = await User.find({ active: true }).limit(100);

// Pagination
const users = await User.find()
  .skip((page - 1) * pageSize)
  .limit(pageSize);

// findOne is inherently limited
const user = await User.findOne({ email });

Known False Negatives

Limit in Options Object

// ❌ NOT DETECTED
User.find({}, null, { limit: 100 });

Dynamic Limit

// ❌ NOT DETECTED
User.find().limit(config.maxResults);

When Not To Use It

  • For batch processing jobs that intentionally process all documents
  • When using streaming cursors for pagination
  • Admin dashboards with controlled access

References

no-select-sensitive-fields

Detects queries that may return sensitive fields like passwords, tokens, or API keys.

no-unsafe-populate

Detects user-controlled `populate()` paths that could lead to data exposure or injection.

On this page

Quick SummaryError Message FormatMessage ComponentsRule Details❌ Incorrect✅ CorrectKnown False NegativesLimit in Options ObjectDynamic LimitWhen Not To Use ItReferences