# Uncontrolled Resource Consumption (CWE-400)

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

**Stack:** Go

- Prevalence: 높음 자주 악용됨
- Impact: 보통 검토 권장
- Prevention: 문서화됨 8개의 수정 예시

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.

## Prevention

3개의 Shoulder 탐지 규칙을 기반으로 한 Resource Exhaustion 예방 전략.

### Go

Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls

Use http.MaxBytesReader to limit request body size before reading

Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes

## Warning Signs

- [MEDIUM] LLM API call lacks resource limits
- [MEDIUM] AI/LLM API calls lacking token limits or input validation that could enable denial of service
- [MEDIUM] Unbounded resource usage can lead to DoS

## Consequences

- DoS: 리소스 소비
- DoS: 충돌/종료/재시작

## Mitigations

- 속도 제한(rate limiting)을 구현하세요
- 리소스 쿼터를 사용하세요
- 작업에 타임아웃을 설정하세요

## Detection

- Total rules: 8
- Languages: go, javascript, typescript, yaml, python

## Rules by Language

### Go (3 rules)

- **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service.
  - Remediation: Set MaxTokens to limit response size and validate input length.

```go
resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{
    MaxTokens: 500,
})
```

Learn more: https://shoulder.dev/learn/go/cwe-400/llm-denial-of-service
- **Missing Request Size Limits** [MEDIUM]: Request body read without size limit using ioutil.ReadAll or io.ReadAll.
  - Remediation: Use http.MaxBytesReader to limit request body size before reading.

```go
func handler(w http.ResponseWriter, r *http.Request) {
    r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB
    body, err := io.ReadAll(r.Body)
    if err != nil {
        http.Error(w, "Request too large", http.StatusRequestEntityTooLarge)
        return
    }
}
```

Learn more: https://shoulder.dev/learn/go/cwe-400/request-size-limits
- **Denial of Service via Resource Exhaustion** [MEDIUM]: Unbounded goroutines, missing timeouts, or unchecked allocations from user input.
  - Remediation: Use a worker pool with semaphore to limit concurrent goroutines.

```go
sem := make(chan struct{}, 100) // limit to 100 concurrent
for _, item := range items {
    sem <- struct{}{}
    go func(i Item) {
        defer func() { <-sem }()
        process(i)
    }(item)
}
```

Learn more: https://shoulder.dev/learn/go/cwe-400/resource-exhaustion