# Allocation of Resources Without Limits or Throttling (CWE-770) The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated. **Stack:** JavaScript - Prevalence: Alta Frecuentemente explotada - Impact: Medio Se recomienda revisión - Prevention: Documentada 3 ejemplos de corrección **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users. ## Prevention Estrategias de prevención para Allocation Without Limits basadas en 2 reglas de detección de Shoulder. ### JavaScript Set size limits on body parser middleware to prevent memory exhaustion Add 'take' limits to all relation includes to prevent unbounded data loading and resource exhaustion ## Warning Signs - [MEDIUM] Body parser without size limit: ... Without request size limits, attackers can send oversized payloads causing memory ex - [MEDIUM] missing or inadequate request size limits in Express - [MEDIUM] Relation '...' loaded without 'take' limit. This can cause resource exhaustion if users have many related records. ## Consequences - DoS: Consumo de recursos - DoS: caída / salida / reinicio ## Mitigations - Implementa rate limiting para todas las asignaciones de recursos - Establece límites máximos para los pools de recursos - Monitoriza el uso de recursos e implementa alertas ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Request Size Limits in Express.js** [MEDIUM]: Detects missing or inadequate request size limits in Express.js applications. Without request size limits: 1. Attackers can send large payloads to exhaust server memory (DoS) 2. Disk space can be filled with uploaded content 3. JSON parsing of large payloads blocks the event loop 4. Server resources can be exhausted processing oversized requests Different content types need different limits: - JSON payloads are more dangerous (blocking parsing) - File uploads may legitimately need larger limit - Remediation: Add size limits to body parser middleware: For JSON: app.use(express.json({ limit: '100kb' })); For forms: app.use(express.urlencoded({ extended: true, limit: '100kb' })); For raw data: app.use(express.raw({ limit: '1mb' })); Choose appropriate limits based on your API requirements. - **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory resources, causing denial of service. - Remediation: Add 'take' limits to all relation includes. ```typescript const user = await prisma.user.findUnique({ where: { id: userId }, include: { posts: { take: 10, orderBy: { createdAt: 'desc' } } } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-770/unsafe-include ### Typescript (2 rules) - **Request Size Limits in Express.js** [MEDIUM]: Detects missing or inadequate request size limits in Express.js applications. Without request size limits: 1. Attackers can send large payloads to exhaust server memory (DoS) 2. Disk space can be filled with uploaded content 3. JSON parsing of large payloads blocks the event loop 4. Server resources can be exhausted processing oversized requests Different content types need different limits: - JSON payloads are more dangerous (blocking parsing) - File uploads may legitimately need larger limit - Remediation: Add size limits to body parser middleware: For JSON: app.use(express.json({ limit: '100kb' })); For forms: app.use(express.urlencoded({ extended: true, limit: '100kb' })); For raw data: app.use(express.raw({ limit: '1mb' })); Choose appropriate limits based on your API requirements. - **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory resources, causing denial of service. - Remediation: Add 'take' limits to all relation includes. ```typescript const user = await prisma.user.findUnique({ where: { id: userId }, include: { posts: { take: 10, orderBy: { createdAt: 'desc' } } } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-770/unsafe-include