# Uncontrolled Resource Consumption (CWE-400)

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

**Stack:** Go

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Mittel Review empfohlen
- Prevention: Dokumentiert 8 Fix-Beispiele

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.

## Prevention

Präventionsstrategien für Resource Exhaustion basierend auf 3 Shoulder-Erkennungsregeln.

### Go

Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls

Use http.MaxBytesReader to limit request body size before reading

Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes

## Warning Signs

- [MEDIUM] LLM API call lacks resource limits
- [MEDIUM] AI/LLM API calls lacking token limits or input validation that could enable denial of service
- [MEDIUM] Unbounded resource usage can lead to DoS

## Consequences

- DoS: Ressourcenverbrauch
- DoS: Absturz/Beenden/Neustart

## Mitigations

- Rate Limiting umsetzen
- Ressourcenkontingente verwenden
- Zeitlimits (Timeouts) für Operationen einführen

## Detection

- Total rules: 8
- Languages: go, javascript, typescript, yaml, python

## Rules by Language

### Go (3 rules)

- **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service.
  - Remediation: Set MaxTokens to limit response size and validate input length.

```go
resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{
    MaxTokens: 500,
})
```

Learn more: https://shoulder.dev/learn/go/cwe-400/llm-denial-of-service
- **Missing Request Size Limits** [MEDIUM]: Request body read without size limit using ioutil.ReadAll or io.ReadAll.
  - Remediation: Use http.MaxBytesReader to limit request body size before reading.

```go
func handler(w http.ResponseWriter, r *http.Request) {
    r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB
    body, err := io.ReadAll(r.Body)
    if err != nil {
        http.Error(w, "Request too large", http.StatusRequestEntityTooLarge)
        return
    }
}
```

Learn more: https://shoulder.dev/learn/go/cwe-400/request-size-limits
- **Denial of Service via Resource Exhaustion** [MEDIUM]: Unbounded goroutines, missing timeouts, or unchecked allocations from user input.
  - Remediation: Use a worker pool with semaphore to limit concurrent goroutines.

```go
sem := make(chan struct{}, 100) // limit to 100 concurrent
for _, item := range items {
    sem <- struct{}{}
    go func(i Item) {
        defer func() { <-sem }()
        process(i)
    }(item)
}
```

Learn more: https://shoulder.dev/learn/go/cwe-400/resource-exhaustion