recursion-doslisted

# Recursion DoS Detection ## When to Use Audit parsers, serializers, tree walkers, deep clone/merge functions, and any recursive function that processes user-controlled data structures with unbounded nesting depth. ## Key Distinction: OOM vs RangeError | Crash Type | Severity | Catchable? | Process Dies? | |------------|----------|------------|---------------| | OOM (heap exhaustion) | HIGH 7.5 | NO | YES -- uncatchable, process killed | | RangeError (stack overflow) | MEDIUM 5.3-6.5 | YES (try/catch) | Only if uncaught | **OOM crash** = process dies regardless of error handling. This is HIGH severity. **RangeError** = catchable in try/catch. Only HIGH if the library does NOT catch it. ## Process ### Step 1: Find Recursive Functions ``` grep -rn "function.*recurse\|function.*recursive\|function.*walk\|function.*traverse" . grep -rn "function.*serialize\|function.*stringify\|function.*clone\|function.*deep" . grep -rn "function.*parse\|function.*process\|function.*visit\|function.*transform" . ``` Look for functions that call themselves: ``` # Find function definitions and then check if they self-reference grep -rn "function\s\+\w\+" . --include="*.js" | head -50 # Then for each function name, check if it calls itself ``` ### Step 2: Check for Depth Limits ``` grep -rn "maxDepth\|max_depth\|depthLimit\|depth_limit\|MAX_DEPTH" . grep -rn "depth\s*>\|depth\s*>=\|depth\s*<\|depth\s*<=" . grep -rn "recursion.*limit\|stack.*limit\|nesting.*limit" . ``` ### Step 3: Test