Plugin: mongodb-securityRules
no-unbounded-find
ESLint rule documentation for no-unbounded-find
📡 Live from GitHub — This documentation is fetched directly from no-unbounded-find.md and cached for 6 hours.
Keywords: CWE-400, resource exhaustion, limit, MongoDB, DoS, security
Requires limit() on find queries to prevent resource exhaustion from unbounded result sets.
Requires limit() on find queries to prevent resource exhaustion from unbounded result sets.
⚠️ This rule warns by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-400 (Resource Exhaustion) |
| OWASP | A04:2021 - Insecure Design |
| Severity | Low (CVSS: 4.3) |
| Category | Security |
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-400 OWASP:A06 CVSS:7.5 | Uncontrolled Resource Consumption (ReDoS) detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-400 OWASP:A06 CVSS:7.5 |
| Issue Description | Specific vulnerability | Uncontrolled Resource Consumption (ReDoS) detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Unbounded queries can:
- Exhaust server memory
- Cause denial of service
- Impact database performance
- Expose excessive data
❌ Incorrect
// No limit - could return millions of documents
const users = await User.find({ active: true });
// Cursor without limit
const cursor = db.collection('logs').find({});✅ Correct
// Explicit limit
const users = await User.find({ active: true }).limit(100);
// Pagination
const users = await User.find()
.skip((page - 1) * pageSize)
.limit(pageSize);
// findOne is inherently limited
const user = await User.findOne({ email });Known False Negatives
Limit in Options Object
// ❌ NOT DETECTED
User.find({}, null, { limit: 100 });Dynamic Limit
// ❌ NOT DETECTED
User.find().limit(config.maxResults);When Not To Use It
- For batch processing jobs that intentionally process all documents
- When using streaming cursors for pagination
- Admin dashboards with controlled access