# Uncontrolled Resource Consumption (CWE-400) The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. - Prevalence: High Frequently exploited - Impact: Medium Review recommended - Prevention: Documented 8 fix examples **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service. ## Prevention Prevention strategies for Resource Exhaustion based on 8 Shoulder detection rules. ### Go Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls Use http.MaxBytesReader to limit request body size before reading Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes ### Node.js Set max_tokens limits and validate input length before LLM API calls Configure timeout and maxBuffer for child process execution to prevent resource exhaustion ### Kubernetes Define CPU and memory resource limits to prevent resource exhaustion and denial of service ### Python Set max_tokens limits, validate input length, and configure timeouts for LLM API calls Set size limits on file reads, bound loop iterations, and add timeouts ## Warning Signs - [MEDIUM] LLM API call lacks resource limits - [MEDIUM] AI/LLM API calls lacking token limits or input validation that could enable denial of service - [MEDIUM] Unbounded resource usage can lead to DoS - [MEDIUM] AI/LLM API calls that lack token limits, potentially enabling denial of service attacks - [MEDIUM] child process execution (exec, spawn) without proper resource limits - [MEDIUM] Container is missing resource limits. - [MEDIUM] containers missing resource limits - [MEDIUM] operations that can cause resource exhaustion: unbounded loops on user input, reading entire large f ## Consequences - DoS: Resource Consumption - DoS: Crash/Exit/Restart ## Mitigations - Implement rate limiting - Use resource quotas - Implement timeouts for operations ## Detection - Total rules: 8 - Languages: go, javascript, typescript, yaml, python ## Rules by Language ### Go (3 rules) - **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service. - Remediation: Set MaxTokens to limit response size and validate input length. ```go resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ MaxTokens: 500, }) ``` Learn more: https://shoulder.dev/learn/go/cwe-400/llm-denial-of-service - **Missing Request Size Limits** [MEDIUM]: Request body read without size limit using ioutil.ReadAll or io.ReadAll. - Remediation: Use http.MaxBytesReader to limit request body size before reading. ```go func handler(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10 MB body, err := io.ReadAll(r.Body) if err != nil { http.Error(w, "Request too large", http.StatusRequestEntityTooLarge) return } } ``` Learn more: https://shoulder.dev/learn/go/cwe-400/request-size-limits - **Denial of Service via Resource Exhaustion** [MEDIUM]: Unbounded goroutines, missing timeouts, or unchecked allocations from user input. - Remediation: Use a worker pool with semaphore to limit concurrent goroutines. ```go sem := make(chan struct{}, 100) // limit to 100 concurrent for _, item := range items { sem <- struct{}{} go func(i Item) { defer func() { <-sem }() process(i) }(item) } ``` Learn more: https://shoulder.dev/learn/go/cwe-400/resource-exhaustion ### Javascript (2 rules) - **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls that lack token limits, potentially enabling denial of service attacks. OWASP LLM04 - Model Denial of Service. DoS attacks against LLMs can: - Exhaust API quotas through unbounded token generation - Cause excessive costs via high token usage - Degrade service availability This rule detects: - Missing max_tokens limits on completions - Missing input length validation - Unbounded streaming responses NOTE: Rate limiting is covered separately by the Express rate-limiting rule. See: rules/javascript/projects/express/security/rate-limiting.yaml - Remediation: Set max_tokens limits and validate input length before LLM calls. ```javascript const response = await openai.chat.completions.create({ model: 'gpt-4', messages: [{ role: 'user', content: message.substring(0, 2000) }], max_tokens: 500 }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-400/llm-denial-of-service - **Denial of Service via Unbounded Child Processes** [MEDIUM]: Detects child process execution (exec, spawn) without proper resource limits. Without timeout or maxBuffer configuration, these processes can: - Hang indefinitely, consuming server resources - Flood memory with unbounded output - Enable DoS attacks through resource exhaustion This is especially critical when the command can be influenced by user input or interacts with external resources (network requests, git operations, etc.). - Remediation: Configure timeout and maxBuffer for child process execution: ```javascript const { exec } = require('child_process'); const { promisify } = require('util'); const execPromise = promisify(exec); const { stdout } = await execPromise(`ping -c 4 ${domain}`, { timeout: 5000, maxBuffer: 1024 * 100 }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-400/unbounded-exec-dos ### Typescript (2 rules) - **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls that lack token limits, potentially enabling denial of service attacks. OWASP LLM04 - Model Denial of Service. DoS attacks against LLMs can: - Exhaust API quotas through unbounded token generation - Cause excessive costs via high token usage - Degrade service availability This rule detects: - Missing max_tokens limits on completions - Missing input length validation - Unbounded streaming responses NOTE: Rate limiting is covered separately by the Express rate-limiting rule. See: rules/javascript/projects/express/security/rate-limiting.yaml - Remediation: Set max_tokens limits and validate input length before LLM calls. ```javascript const response = await openai.chat.completions.create({ model: 'gpt-4', messages: [{ role: 'user', content: message.substring(0, 2000) }], max_tokens: 500 }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-400/llm-denial-of-service - **Denial of Service via Unbounded Child Processes** [MEDIUM]: Detects child process execution (exec, spawn) without proper resource limits. Without timeout or maxBuffer configuration, these processes can: - Hang indefinitely, consuming server resources - Flood memory with unbounded output - Enable DoS attacks through resource exhaustion This is especially critical when the command can be influenced by user input or interacts with external resources (network requests, git operations, etc.). - Remediation: Configure timeout and maxBuffer for child process execution: ```javascript const { exec } = require('child_process'); const { promisify } = require('util'); const execPromise = promisify(exec); const { stdout } = await execPromise(`ping -c 4 ${domain}`, { timeout: 5000, maxBuffer: 1024 * 100 }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-400/unbounded-exec-dos ### Python (2 rules) - **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls that lack token limits, potentially enabling denial of service attacks. OWASP LLM04 - Model Denial of Service. DoS attacks against LLMs can: - Exhaust API quotas through unbounded token generation - Cause excessive costs via high token usage - Degrade service availability This rule detects: - Missing max_tokens limits on completions - Missing input length validation NOTE: Rate limiting is covered separately by framework-specific rate-limiting rules. - Remediation: Set max_tokens to limit response size and truncate user input. ```python MAX_INPUT_LENGTH = 2000 MAX_OUTPUT_TOKENS = 500 user_message = request.json['message'][:MAX_INPUT_LENGTH] response = openai.chat.completions.create( model='gpt-4', messages=[{'role': 'user', 'content': user_message}], max_tokens=MAX_OUTPUT_TOKENS ) ``` Learn more: https://shoulder.dev/learn/python/cwe-400/llm-denial-of-service - **Resource Exhaustion / Denial of Service** [MEDIUM]: Detects operations that can cause resource exhaustion: unbounded loops on user input, reading entire large files into memory, recursive operations without depth limits, or missing timeouts. These can lead to memory exhaustion or CPU starvation (DoS). - Remediation: Limit file reads, bound loop iterations, and set timeouts for user-controlled operations. ```python from flask import Flask, request app = Flask(__name__) app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 # 10 MB MAX_ITERATIONS = 1000 @app.route('/upload', methods=['POST']) def upload(): content = request.files['file'].read(10 * 1024 * 1024) # Bounded read return process(content) @app.route('/process') def process(): count = min(int(request.args.get('count', 10)), MAX_ITERATIONS) return [operation(i) for i in range(count)] ``` Learn more: https://shoulder.dev/learn/python/cwe-400/resource-exhaustion ### Yaml (1 rules) - **Missing Resource Limits** [MEDIUM]: Detects containers missing resource limits. - Remediation: Define resource limits for containers. ```yaml resources: limits: memory: "256Mi" cpu: "500m" ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-400/missing-resource-limits