BETA Shoulder está en beta — Los hallazgos a veces pueden ser incorrectos. Tu feedback da forma a lo que arreglamos a continuación. Compartir comentarios
Shoulder.dev

Inteligencia de Amenazas para Desarrolladores
💥

Uncontrolled Resource Consumption

🛡️ 8 reglas detectan esto

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.

Prevalencia
Alta
Frecuentemente explotada
Impacto
Medio
Se recomienda revisión
Prevención
Documentada
8 ejemplos de corrección
2 Prevención
2 Prevención

Cómo corregir esta vulnerabilidad

Estrategias de prevención para Resource Exhaustion basadas en 8 reglas de detección de Shoulder.

🐹 Go Ver todo Go detalles →
LLM Denial of Service MEDIUM

Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls

+13 -3 go 
  func handler(w http.ResponseWriter, r *http.Request) {
      var req ChatRequest
      json.NewDecoder(r.Body).Decode(&req)
-     resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{
-         Model:    "gpt-4",
-         Messages: []openai.ChatCompletionMessage{{Content: req.Message}},
+ 
+     message := req.Message
+     if len(message) > 2000 {
+         message = message[:2000]
+     }
+ 
+     ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
+     defer cancel()
+ 
+     resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{
+         Model:     "gpt-4",
+         Messages:  []openai.ChatCompletionMessage{{Content: message}},
+         MaxTokens: 500,
      })
      json.NewEncoder(w).Encode(resp)
  }
Missing Request Size Limits MEDIUM

Use http.MaxBytesReader to limit request body size before reading

+6 -1 go 
  func handler(w http.ResponseWriter, r *http.Request) {
-     body, _ := io.ReadAll(r.Body)
+     r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024)
+     body, err := io.ReadAll(r.Body)
+     if err != nil {
+         http.Error(w, "Request too large", 413)
+         return
+     }
      process(body)
  }
Denial of Service via Resource Exhaustion MEDIUM

Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes

+5 -2 go 
  func process(items []string) {
-     for _, item := range items {
-         go func(i string) {
+     sem := make(chan struct{}, 100)
+     for _, item := range items {
+         sem <- struct{}{}
+         go func(i string) {
+             defer func() { <-sem }()
              expensiveOperation(i)
          }(item)
      }
  }
🟨 JavaScript Ver todo JavaScript detalles →
LLM Denial of Service MEDIUM

Set max_tokens limits and validate input length before LLM API calls

+5 -3 javascript 
- const response = await openai.chat.completions.create({
-   model: 'gpt-4',
-   messages: [{ role: 'user', content: req.body.message }]
+ const message = req.body.message.substring(0, 2000);
+ const response = await openai.chat.completions.create({
+   model: 'gpt-4',
+   messages: [{ role: 'user', content: message }],
+   max_tokens: 500
  });
Denial of Service via Unbounded Child Processes MEDIUM

Configure timeout and maxBuffer for child process execution to prevent resource exhaustion

+4 -1 javascript 
- const { stdout } = await execPromise(`ping -c 4 ${domain}`);
+ const { stdout } = await execPromise(`ping -c 4 ${domain}`, {
+   timeout: 5000,
+   maxBuffer: 1024 * 100
+ });
☸️ Kubernetes Ver todo Kubernetes detalles →
Missing Resource Limits MEDIUM

Define CPU and memory resource limits to prevent resource exhaustion and denial of service

+7 -2 yaml 
  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
-     ports:
-       - containerPort: 80
+     resources:
+       requests:
+         memory: "128Mi"
+         cpu: "250m"
+       limits:
+         memory: "256Mi"
+         cpu: "500m"
🐍 Python Ver todo Python detalles →
LLM Denial of Service MEDIUM

Set max_tokens limits, validate input length, and configure timeouts for LLM API calls

+11 -5 python 
- @app.route('/chat', methods=['POST'])
- def chat():
-     response = openai.chat.completions.create(
-         model='gpt-4',
-         messages=[{'role': 'user', 'content': request.json['message']}]
+ MAX_INPUT_LENGTH = 2000
+ MAX_OUTPUT_TOKENS = 500
+ 
+ @app.route('/chat', methods=['POST'])
+ def chat():
+     message = request.json['message'][:MAX_INPUT_LENGTH]
+     response = openai.chat.completions.create(
+         model='gpt-4',
+         messages=[{'role': 'user', 'content': message}],
+         max_tokens=MAX_OUTPUT_TOKENS,
+         timeout=30
      )
      return jsonify(response.choices[0].message.content)
Resource Exhaustion / Denial of Service MEDIUM

Set size limits on file reads, bound loop iterations, and add timeouts

+8 -5 python 
- from flask import request
- 
- @app.route('/upload', methods=['POST'])
- def upload():
-     content = request.files['file'].read()
+ from flask import Flask, request
+ 
+ app = Flask(__name__)
+ app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024  # 10 MB
+ 
+ @app.route('/upload', methods=['POST'])
+ def upload():
+     content = request.files['file'].read(10 * 1024 * 1024)
      return process(content)
3 Detección
3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones Uncontrolled Resource Consumption. 8 reglas.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=400

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (8)

4 Señales de Alerta
4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Uncontrolled Resource Consumption. Búscalos durante las revisiones de código y auditorías de seguridad.

🟡
LLM API call lacks resource limits go-llm-denial-of-service
🟡
AI/LLM API calls lacking token limits or input validation that could enable denial of service go-llm-denial-of-service
🟡
Unbounded resource usage can lead to DoS go-resource-exhaustion
🟡
AI/LLM API calls that lack token limits, potentially enabling denial of service attacks javascript-llm-denial-of-service
🟡
child process execution (exec, spawn) without proper resource limits javascript-unbounded-exec-dos
🟡
Container is missing resource limits. kubernetes-missing-resource-limits
🟡
containers missing resource limits kubernetes-missing-resource-limits
🟡
operations that can cause resource exhaustion: unbounded loops on user input, reading entire large f python-resource-exhaustion
🔍

Escanea tu base de código para Uncontrolled Resource Consumption

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas