# Missing Request Size Limits

- ID: go-request-size-limits
- Severity: MEDIUM
- CWE: Resource Exhaustion (CWE-400)
- Languages: Go

## Description

Request body read without size limit using ioutil.ReadAll or io.ReadAll.

## Remediation

Use http.MaxBytesReader to limit request body size before reading.

```go
func handler(w http.ResponseWriter, r *http.Request) {
    r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB
    body, err := io.ReadAll(r.Body)
    if err != nil {
        http.Error(w, "Request too large", http.StatusRequestEntityTooLarge)
        return
    }
}
```

Learn more: https://shoulder.dev/learn/go/cwe-400/request-size-limits

## Related Rules

- **LLM Denial of Service** [MEDIUM]: 
- **Denial of Service via Resource Exhaustion** [MEDIUM]: 
- **LLM Denial of Service** [MEDIUM]: 
- **Denial of Service via Unbounded Child Processes** [MEDIUM]: 
- **Missing Resource Limits** [MEDIUM]: