BÊTA Shoulder est en bêta — Les résultats peuvent parfois être incorrects. Vos retours façonnent ce que nous corrigeons ensuite. Donner mon avis
Shoulder.dev

Renseignement sur les Menaces pour Développeurs
💥

Uncontrolled Resource Consumption

🛡️ 8 règles détectent ceci

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.

Prévalence
Élevée
Fréquemment exploitée
Impact
Moyen
Revue recommandée
Prévention
Documentée
8 exemples de correctifs
2 Prévention
2 Prévention

Comment corriger cette vulnérabilité

Stratégies de prévention pour Resource Exhaustion basées sur 8 règles de détection Shoulder.

🐹 Go Tout voir Go détails →
LLM Denial of Service MEDIUM

Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls

+13 -3 go 
  func handler(w http.ResponseWriter, r *http.Request) {
      var req ChatRequest
      json.NewDecoder(r.Body).Decode(&req)
-     resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{
-         Model:    "gpt-4",
-         Messages: []openai.ChatCompletionMessage{{Content: req.Message}},
+ 
+     message := req.Message
+     if len(message) > 2000 {
+         message = message[:2000]
+     }
+ 
+     ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
+     defer cancel()
+ 
+     resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{
+         Model:     "gpt-4",
+         Messages:  []openai.ChatCompletionMessage{{Content: message}},
+         MaxTokens: 500,
      })
      json.NewEncoder(w).Encode(resp)
  }
Missing Request Size Limits MEDIUM

Use http.MaxBytesReader to limit request body size before reading

+6 -1 go 
  func handler(w http.ResponseWriter, r *http.Request) {
-     body, _ := io.ReadAll(r.Body)
+     r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024)
+     body, err := io.ReadAll(r.Body)
+     if err != nil {
+         http.Error(w, "Request too large", 413)
+         return
+     }
      process(body)
  }
Denial of Service via Resource Exhaustion MEDIUM

Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes

+5 -2 go 
  func process(items []string) {
-     for _, item := range items {
-         go func(i string) {
+     sem := make(chan struct{}, 100)
+     for _, item := range items {
+         sem <- struct{}{}
+         go func(i string) {
+             defer func() { <-sem }()
              expensiveOperation(i)
          }(item)
      }
  }
🟨 JavaScript Tout voir JavaScript détails →
LLM Denial of Service MEDIUM

Set max_tokens limits and validate input length before LLM API calls

+5 -3 javascript 
- const response = await openai.chat.completions.create({
-   model: 'gpt-4',
-   messages: [{ role: 'user', content: req.body.message }]
+ const message = req.body.message.substring(0, 2000);
+ const response = await openai.chat.completions.create({
+   model: 'gpt-4',
+   messages: [{ role: 'user', content: message }],
+   max_tokens: 500
  });
Denial of Service via Unbounded Child Processes MEDIUM

Configure timeout and maxBuffer for child process execution to prevent resource exhaustion

+4 -1 javascript 
- const { stdout } = await execPromise(`ping -c 4 ${domain}`);
+ const { stdout } = await execPromise(`ping -c 4 ${domain}`, {
+   timeout: 5000,
+   maxBuffer: 1024 * 100
+ });
☸️ Kubernetes Tout voir Kubernetes détails →
Missing Resource Limits MEDIUM

Define CPU and memory resource limits to prevent resource exhaustion and denial of service

+7 -2 yaml 
  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
-     ports:
-       - containerPort: 80
+     resources:
+       requests:
+         memory: "128Mi"
+         cpu: "250m"
+       limits:
+         memory: "256Mi"
+         cpu: "500m"
🐍 Python Tout voir Python détails →
LLM Denial of Service MEDIUM

Set max_tokens limits, validate input length, and configure timeouts for LLM API calls

+11 -5 python 
- @app.route('/chat', methods=['POST'])
- def chat():
-     response = openai.chat.completions.create(
-         model='gpt-4',
-         messages=[{'role': 'user', 'content': request.json['message']}]
+ MAX_INPUT_LENGTH = 2000
+ MAX_OUTPUT_TOKENS = 500
+ 
+ @app.route('/chat', methods=['POST'])
+ def chat():
+     message = request.json['message'][:MAX_INPUT_LENGTH]
+     response = openai.chat.completions.create(
+         model='gpt-4',
+         messages=[{'role': 'user', 'content': message}],
+         max_tokens=MAX_OUTPUT_TOKENS,
+         timeout=30
      )
      return jsonify(response.choices[0].message.content)
Resource Exhaustion / Denial of Service MEDIUM

Set size limits on file reads, bound loop iterations, and add timeouts

+8 -5 python 
- from flask import request
- 
- @app.route('/upload', methods=['POST'])
- def upload():
-     content = request.files['file'].read()
+ from flask import Flask, request
+ 
+ app = Flask(__name__)
+ app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024  # 10 MB
+ 
+ @app.route('/upload', methods=['POST'])
+ def upload():
+     content = request.files['file'].read(10 * 1024 * 1024)
      return process(content)
3 Détection
3 Détection

Trouvez les vulnérabilités dans votre code

Utilisez Shoulder pour scanner votre code à la recherche de patterns Uncontrolled Resource Consumption. 8 règles.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=400

# Or scan entire project
npx @shoulderdev/cli trust .

Règles de Détection (8)

4 Signes d'Alerte
4 Signes d'Alerte

Ce qu'il faut surveiller lors des revues de code

Ces patterns indiquent des vulnérabilités potentielles Uncontrolled Resource Consumption. Recherchez-les lors des revues de code et des audits de sécurité.

🟡
LLM API call lacks resource limits go-llm-denial-of-service
🟡
AI/LLM API calls lacking token limits or input validation that could enable denial of service go-llm-denial-of-service
🟡
Unbounded resource usage can lead to DoS go-resource-exhaustion
🟡
AI/LLM API calls that lack token limits, potentially enabling denial of service attacks javascript-llm-denial-of-service
🟡
child process execution (exec, spawn) without proper resource limits javascript-unbounded-exec-dos
🟡
Container is missing resource limits. kubernetes-missing-resource-limits
🟡
containers missing resource limits kubernetes-missing-resource-limits
🟡
operations that can cause resource exhaustion: unbounded loops on user input, reading entire large f python-resource-exhaustion
🔍

Scannez votre base de code pour Uncontrolled Resource Consumption

Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.

npx shoulder trust Parcourir toutes les règles