Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.
Rozpowszechnienie
Wysoka
Często wykorzystywana
Wplyw
Średni
Zalecany przegląd
Zapobieganie
Udokumentowane
8 przykładów poprawek
2 Zapobieganie
2 Zapobieganie
Jak naprawić tę podatność
Strategie zapobiegania dla Resource Exhaustion oparte na 8 regułach detekcji Shoulder.
LLM Denial of Service
MEDIUM
Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls
func handler(w http.ResponseWriter, r *http.Request) { var req ChatRequest json.NewDecoder(r.Body).Decode(&req) - resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ - Model: "gpt-4", - Messages: []openai.ChatCompletionMessage{{Content: req.Message}}, + + message := req.Message + if len(message) > 2000 { + message = message[:2000] + } + + ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second) + defer cancel() + + resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ + Model: "gpt-4", + Messages: []openai.ChatCompletionMessage{{Content: message}}, + MaxTokens: 500, }) json.NewEncoder(w).Encode(resp) }
Missing Request Size Limits
MEDIUM
Use http.MaxBytesReader to limit request body size before reading
func handler(w http.ResponseWriter, r *http.Request) { - body, _ := io.ReadAll(r.Body) + r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) + body, err := io.ReadAll(r.Body) + if err != nil { + http.Error(w, "Request too large", 413) + return + } process(body) }
Denial of Service via Resource Exhaustion
MEDIUM
Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes
func process(items []string) { - for _, item := range items { - go func(i string) { + sem := make(chan struct{}, 100) + for _, item := range items { + sem <- struct{}{} + go func(i string) { + defer func() { <-sem }() expensiveOperation(i) }(item) } }
JavaScript
Zobacz wszystko JavaScript szczegóły →
LLM Denial of Service
MEDIUM
Set max_tokens limits and validate input length before LLM API calls
- const response = await openai.chat.completions.create({ - model: 'gpt-4', - messages: [{ role: 'user', content: req.body.message }] + const message = req.body.message.substring(0, 2000); + const response = await openai.chat.completions.create({ + model: 'gpt-4', + messages: [{ role: 'user', content: message }], + max_tokens: 500 });
Denial of Service via Unbounded Child Processes
MEDIUM
Configure timeout and maxBuffer for child process execution to prevent resource exhaustion
- const { stdout } = await execPromise(`ping -c 4 ${domain}`); + const { stdout } = await execPromise(`ping -c 4 ${domain}`, { + timeout: 5000, + maxBuffer: 1024 * 100 + });
Kubernetes
Zobacz wszystko Kubernetes szczegóły →
Missing Resource Limits
MEDIUM
Define CPU and memory resource limits to prevent resource exhaustion and denial of service
apiVersion: v1 kind: Pod spec: containers: - name: app image: nginx:1.25 - ports: - - containerPort: 80 + resources: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "256Mi" + cpu: "500m"
LLM Denial of Service
MEDIUM
Set max_tokens limits, validate input length, and configure timeouts for LLM API calls
- @app.route('/chat', methods=['POST']) - def chat(): - response = openai.chat.completions.create( - model='gpt-4', - messages=[{'role': 'user', 'content': request.json['message']}] + MAX_INPUT_LENGTH = 2000 + MAX_OUTPUT_TOKENS = 500 + + @app.route('/chat', methods=['POST']) + def chat(): + message = request.json['message'][:MAX_INPUT_LENGTH] + response = openai.chat.completions.create( + model='gpt-4', + messages=[{'role': 'user', 'content': message}], + max_tokens=MAX_OUTPUT_TOKENS, + timeout=30 ) return jsonify(response.choices[0].message.content)
Resource Exhaustion / Denial of Service
MEDIUM
Set size limits on file reads, bound loop iterations, and add timeouts
- from flask import request - - @app.route('/upload', methods=['POST']) - def upload(): - content = request.files['file'].read() + from flask import Flask, request + + app = Flask(__name__) + app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 # 10 MB + + @app.route('/upload', methods=['POST']) + def upload(): + content = request.files['file'].read(10 * 1024 * 1024) return process(content)
3 Wykrywanie
3 Wykrywanie
Znajdz podatnosci w swoim kodzie
Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Uncontrolled Resource Consumption. 8 reguly.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=400 # Or scan entire project npx @shoulderdev/cli trust .
Reguly Wykrywania (8)
🐹
Go
3 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service.
Missing Request Size Limits
MEDIUM
Request body read without size limit using ioutil.ReadAll or io.ReadAll.
Denial of Service via Resource Exhaustion
MEDIUM
Unbounded goroutines, missing timeouts, or unchecked allocations from user input.
🟨
Javascript
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses
NOTE: Rate limiting is covered separately by the Express rate-limiting
Denial of Service via Unbounded Child Processes
MEDIUM
Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion
This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
🔷
Typescript
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses
NOTE: Rate limiting is covered separately by the Express rate-limiting
Denial of Service via Unbounded Child Processes
MEDIUM
Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion
This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
🐍
Python
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
NOTE: Rate limiting is covered separately by framework-specific rate-limiting rules.
Resource Exhaustion / Denial of Service
MEDIUM
Detects operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large files into memory, recursive operations without
depth limits, or missing timeouts. These can lead to memory exhaustion or CPU
starvation (DoS).
4 Sygnaly Ostrzegawcze
4 Sygnaly Ostrzegawcze
Na co zwracac uwage podczas przegladu kodu
Te wzorce wskazuja na potencjalne podatnosci Uncontrolled Resource Consumption. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.
LLM API call lacks resource limits
go-llm-denial-of-service
AI/LLM API calls lacking token limits or input validation that could enable denial of service
go-llm-denial-of-service
Unbounded resource usage can lead to DoS
go-resource-exhaustion
AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks
javascript-llm-denial-of-service
child process execution (exec, spawn) without proper resource limits
javascript-unbounded-exec-dos
Container is missing resource limits.
kubernetes-missing-resource-limits
containers missing resource limits
kubernetes-missing-resource-limits
operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large f
python-resource-exhaustion
Przeskanuj swój kod w poszukiwaniu Uncontrolled Resource Consumption
Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.