# Allocation of Resources Without Limits or Throttling (CWE-770)

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated.

**Stack:** Python

- Prevalence: 높음 자주 악용됨
- Impact: 보통 검토 권장
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Allocation Without Limits 예방 전략.

### Python

Add rate limiting to authentication and expensive API endpoints

## Warning Signs

- [MEDIUM] API endpoint lacks rate limiting protection
- [MEDIUM] API endpoints without rate limiting

## Consequences

- DoS: 리소스 소비
- DoS: 충돌/종료/재시작

## Mitigations

- 모든 리소스 할당에 대해 속도 제한을 구현하세요
- 리소스 풀에 최대 한도를 설정하세요
- 리소스 사용량을 모니터링하고 알림을 구현하세요

## Detection

- Total rules: 3
- Languages: javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Missing API Rate Limiting** [MEDIUM]: Detects API endpoints without rate limiting. Unprotected endpoints are
vulnerable to brute force attacks, credential stuffing, and denial of service.
Always implement rate limiting on authentication, expensive operations, and
public APIs.
  - Remediation: Add rate limiting decorator to authentication and expensive endpoints.

```python
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(app=app, key_func=get_remote_address)

@app.route('/api/login', methods=['POST'])
@limiter.limit("5 per minute")
def login():
    user = authenticate(request.json)
    return jsonify({'token': generate_token(user)})
```

Learn more: https://shoulder.dev/learn/python/cwe-770/missing-rate-limiting